I've worked at some rather large companies with insanely relaxed security and auditing standards. I think it's even worse now than before because cloud providers make setting up a database cheap and simple. So today an individual or small team can throw together a production-scale MongoDB in a few hours and start filling it with potentially PII; whereas 10 years ago, something like that stood a good chance of having at least one external DBA/IT-person consulted before going into prod.

My line of thinking is to assume auditing and access controls are lax unless the data in question is part of the company's secret sauce, or is regulated by the government.