I would think the first two could fairly easily be done in-house, but the last three require specialized technical expertise.
Assuming that the internal audit has someone familiar enough with information technology to make the audit worthwhile. The references are good, but it takes someone very familiar with the controls, systems and terminology to make it valid.