Re: Should companies be on the hook for criminal employees' doings?
By default, i expect this to mean he has (oops had*) unfettered access to the entire IT system, had the responsibility to test every procedure and recommend/implement changes (presumably improvements). Difficult to see how he could do his basic job otherwise.
Not necessarily. Auditors often have no access to the systems at all and work with people who do, to gather the evidence to support the audit. This applies both to internal and external auditors.