> Well, it is a government agency tasked with audits. Why shouldn't it have root access?

Why should it? I've participated in a number of audits. None of them involved giving the auditors root access. They get read-only access to exactly what they need and nothing more, if they get access at all. Oftentimes it's the people with access pulling data based on what they request.