There is no one answer that will fit every institution. Having worked in several institutions from $35MM to 1B, what worked for one, would not work for the other.
I guess I'm a little confused by your question. Do the dept heads have change rights to everything in the system or just their department? Can the CFO change loan info or just the investments? I would want him/her to only have change rights to what is needed.
As for him/her having change rights, I'm not against it, but with some provisions. 1) It is truely a small department. 2) There is an independent review process (there sounds like it is). 3) The changes are made as a result of a backup process only (for example dept of 2 and 1 employee is out sick).
The question is can he/she control a process from a-z? If so, that is ok as long as there is an independent review process immediately following (not annually, for example). After testing the review process, is it effective? If so, then you are fine. If not, then you have a problem.
Hope this helps!
You gain education by reading the fine print. You gain experience by not.