In case you were not aware, with z/OS V2.3 and above, RACF now provides a function called Read Only Audit (ROAUDIT)
You can set this attribute on a userid and they will be able to do the following (Basically LOOK but don't touch)
A user who has the ROAUDIT attribute has the authority to list auditing information using the
LISTDSD,
RLIST,
LISTUSER,
LISTGRP,
SETROPTS LIST,
SEARCH commands
as well as the IRRUT100 utility
Unlike users with the AUDITOR attribute, users with the ROAUDIT attribute are unable to specify logging options or to control logging to the SMF data set.
Thought this might be helpful to ADMINs for CMOD.
Lizette