Confirming that he is an auditor is insufficient. A sufficiently clever legitimate auditor might attempt social engineering attacks and fail you if they succeed.

In fact, this seems like a more effective way to sniff out plaintext password storage than saying "show me everywhere you touch passwords and how they're encrypted".

Sorry, if I was unclear. Confirming that he is an auditor should be a checkbox in an audit as should be limiting the information provided to an auditor. While I like your idea that it would show if they could get access to users passwords even handing out the salted password list is a bad idea.

One of the more interesting government audits I have heard about was the auditor did a basic internal audit and said he was part of physical secuity ect so people knew he was part of the audit team. He then showed up late, turning off the power supply to the building and then pointing at people who show up at the generator and saying "bang your dead" this is part of an audit etc. If they failed to call security before everyone was "dead" they where considered to have failed that part of the audit. He also attempted to get into the building without showing up on camera's ect. All of which sounds like a fun job and a good idea.