But how would we know? If you only gave a limit of two days and we do not even know what he did prior to that, and the heading was “Finance”, it was a very limited review of the e-mails.
Why wouldn't you allow a detailed review by IT so you can assure yourself that this hasn't happened? If you're talking about breach of privilege and you really want to respect the institution, then you should allow that to happen.