Were you part of external or internal audits, or both?

Both external and internal audits provide complementary views of an organization's security controls. Internal audits are conducted within the organization to assess whether policies, procedures, and controls are properly designed and followed, helping improve governance and risk management from the inside. External audits are performed by independent parties to provide objective assurance about the effectiveness of controls, often for regulatory or oversight bodies. In a FISMA context, there is a need for independent evaluations of the security program, while internal audits help continuously monitor and enhance control environments. Experience with both shows you understand how controls are implemented, tested, and improved from both an internal governance perspective and an external assurance perspective, making it the most comprehensive and valuable background.