A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Intercepting communications (including telephone calls, emails, instant messaging traffic, voip traffic, etc) is against the law in many countries, and it doesn't matter at all that you have a personal relationship with the party you are monitoring.
If you have explicit consent from all parties involved in the communication to perform monitoring you might be safe (e.g. they KNOW you are doing it and have given permission), but even then I wouldn't make assumptions about this (standard disclaimer IANAL).
Heed the warning, and keep in mind that discussion of illegal activities on this forum is strictly prohibited (it will earn you an instant ban.)
I would suggest you read up on the telecommunications interception laws for your local jurisdiction - you will likely be surprised about what they say is illegal, because many of them were written in a time before computers came into widespread use. Its quite possible that they will fly in the face of what you consider common sense, but you don't have to agree with a law, or think its sensible, to be bound by it.