There are lessons that people learn over time and come up with best practices to avoid repeating the mistakes. If the intent is to really uncover waste and fraud then one way could have been

1. To ask for READ access to all the data with PII/sensitive scrubbed.

2. Any action to modify the content/data should ideally have followed the existing path/mechanism