Ideally, Read only for Audit in Rights Object should not have the privileges to edit, stop audits and clear audit histories through the Audit Settings (even if the settings are not saved) and they should receive an error that this is not possible ...