I cannot comment on the first part of the question; however, this is the rule we follow for all audits. Sometimes it is privacy information, sometimes it is third party. It's third party information all the time because we're auditing a company and we need the consent of the company.
Normally we don't encounter problems. Normally we do the audit, we present the audit to the company, the company reviews it, comments on it, and puts in a company action plan to address the concerns we have identified. Normally we publish the audit report along with the action plan of the company. It's a bit like when we ourselves are audited by the OAG. We do exactly the same thing, except we cannot oppose being published.