Was he there to audit the data? - yes.
Did he therefore have legitimate reason to access the data? - yes.
Did Morrisons take suitable precautions to ensure that when he had access to the data he didn't do something malicious with it? - no. Irrespective of what he actually did beyond his job remit, Morrisons appear to have done nothing to prevent him doing it (evidence yet to be presented and reported).
He could have been restricted to a room where he couldn't take any possessions in or out with him, and he could only work on the audit within that room. I've been to IT exams with this type of restriction, where a metal detector scan was completed to enter the exam room.
He could have had a chaperone watching him. Not exactly comfortable, but could be considered necessary.