Auditors like certainties. In general "we think it is read only, but we can't be sure" doesn't cut it. Especially if external accounts are at stake. For internal reference I'd go for the "change all the profiles and lock transactions" approach, but also take a backup that I'd restore before auditors needed access.
I guess if people ask for proof that nothing has changed you can suggest they look at the change document tables. There shouldn't be any since the system was frozen, except maybe for users/roles/profiles.
Steve.