> From the authentication systems perspective, what exactly is the difference between an employee and 3rd party auditor?

Might require different authentication providers.

> From the authorization system, why would it care who they work for, as opposed to the permissions assigned to them?

Take the case of the accountant in the parent company. Either you create a user for that accountant in each of the child companies and manage access individually for each company, or you have a single user which has access to different child companies through separate permissions or something like that.

If you do it the first way, it's more like a regular B2C case, but not exactly because you still gotta do things like automatically disable those child-users when the accountant quits the parent company.

We've hit these scenarios as customer requirements in our B2B product, YMMV.