That almost seems like they would need to be active in the relevant field they are auditing. I’m not sure if the auditor role pays enough to hire people from all of the various fields that have to be audited.

They'd also have to be trained in fraud investigations and counter-espionage considering who they're up against. It's not the purpose of an auditor.

"It's not the purpose of an auditor."

Well, what is the purpose of an auditor then in this context? Genuine question. Not my world.

I know code auditors - and they have to know about programming and the domain to provide any meaningful audit.

Audit is not a foolproof guarantee that no fraud exists, the same way that locking your door doesn't guarantee that no crime exists. It deters opportunists by making crime more difficult and onerous.

In this context, they're just making sure the answer isn't "no, it's not encrypted". Sure, you can lie, and that would fool them. But your answer will be cross-checked with other employees, maybe with other documentation if those exists.

And sure, you can forge all of those as well, as Marsalek did with his bank statements. But these sort of verification significantly raises the bar to how difficult it is to commit fraud: you now need to get several people into the conspiracy to forge those documents and audit trail. Your average employee isn't willing to lie for their company for no good reason and risk prosecution, and may very well whistle-blow on you.

Being an expert certainly makes you a better auditor, but it's not any more necessary than making police officers have law degrees.

Software development has a frustrating history of reappropriating words from other contexts. Your "code auditor" is probably more akin to an OSHA compliance officer/safety inspector. Again, experience helps, but you don't need to be the architect of the Pyramids to ensure everyone onsite is wearing a helmet.

They make a good-faith effort to ensure some checklist of conditions are met.