Normally I make auditors sit with me and extract the data to stop them pulling tables and data without the context. It's frustrating as once the put a risk in a report that is invalid it takes a lot of effort and grief to explain why their assessment is wrong or there is a control in place already
but then I worked on a few government systems and the internal auditors has legislation or frameworks that gave them the right to access all data. Its amusing when they demand a generic user to use in their team which contradicts a heap of items they would mark as a violation for anyone else
LIke Gretchen, I would be concerned with an external auditor supporting shared account with modify access. An xls spreadsheet to track probably would not stand up in court to prove who had access and if fraud occurred to identify which person of the group had access. Possibly a password change each time might reduce it but I suspect the team leader would track password.
does the system have SSO in place as well?