Security Auditing on Canton

One of the security auditors asked me about the scope of auditing within the Canton Network. Could you guys provide more information about the auditing process? Is auditing performed by domain-specific or party-specific auditors who are hired for that purpose ? Also, if someone wants to get started with independent auditing in a local to mainnet environment, how can they begin? What would be the recommended approach, tools, or learning path?