This is a real question for organizations that do ISO 27001 (information security) because surveys consistently report that most breaches of confidentiality are committed, accidentally or deliberately, by disgruntled employees. It must also be borne in mind that computer evidence is easily deleted or tampered with, and must be protected according to rules of evidence (which vary from one jurisdiction to another) if it is to stand up in Court.
The auditor will almost certainly be under a duty of care to report unethical or illegal behaviour. The question is, how?
If the organization operates an all-too-common audit reporting process, the report of such behaviour will languish for some time before getting attention. Further, its distribution will likely not be confidential. If the accused person (or someone with a vested interest in hiding the breach) gets sight of it, they may be able to destroy vital evidence and computer records, escape arrest -- or worse, coerce the auditor.
Further, once a breach is clear, confidentiality may be required to avoid copy-cat breaches, preserve staff morale, maintain the confidentiality of detection and prevention methods, and so forth.
Also, once illegal or unethical behaviour has been formally reported to the organization, it may face legal responsibilities and liabilities, some concerned with its speed of response, care of evidence, action on containing and managing consequences. Furthermore, legal and policing matters are not generally the competence of the quality department.
There is also the possibility that the auditor has misunderstood the situation.
Therefore, the auditor must find an appropriately speedy and confidential method of reporting the situation, and if necessary take care of his or her personal safety. This will typically be the Compliance Director, Legal Affairs Director, Head of Security, HR Director, etc.
Certification Body auditors have an additional challenge: the Confidentiality Agreement signed by the Client, the CB, and the CB auditors. My understanding is that CB auditors will report the situation to the CB's Compliance Director, and CB action will then be guided by the laws applicable in the country or state where the audit is being conducted. In certain serious circumstances the situation will be reported to local law enforcement, and the client will be notified through senior channels if the law allows. (In the case of money laundering, for example, it may not allow for fear that evidence will be tampered with if perpetrators are given fore-warning.) If the auditor's personal safety is at risk (for example, if organized crime may be involved) that too will be a consideration.
In other words, the management systems audit reporting mechanisms were not designed for criminal or unethical situations, and that's one reason that ISO 27001 has separate mechanisms for reporting and managing security incidents and weaknesses.
Hope this helps,
Pat