Re: Liable
"It's really not difficult to limit access to data"
It's easy enough to limit the access of an average employee, but what if (for example) they're the sysadmin in charge of backups? Or, as in this case, an auditor?
That said, if someone requires a high level of access, then the next best thing would be to log their actions as closely as possible. However, that only helps identify them after the event, it doesn't stop them from copying all payroll data on to a USB stick.