As a cloud engineer setting up a Google Cloud project for an application processing sensitive user data, you need to provide the audit team with the ability to review IAM policies without altering them or accessing the data. What is the best way to set up their access?