At both institutions A and C, there was at least one internal auditor who possessed a technical certification
(e.g., CISA or CISSP) related to information security. In contrast, at Institution B none of the internal audit staff
possessed much information systems audit technical expertise. Interestingly, the internal auditor at
Institution B admitted that the lack of technical expertise within the internal audit staff limited the depth
of interaction with the information security function: