An auditor doing a formal compliance audit may have access to all confidential data contained in the secure repository specified in section 2.1.1. The auditor will not have access to cryptographic keys that are part of the CA infrastructure. The repository does not contain private keys of subscribers.
Any auditor will be required in writing to agree keeping all confidential data secret and not to publish it in any reports.