I'm somewhat new to banking and haven't encountered this before. Our Internal Audit department's charter states that they have unrestricted access to people, systems, etc. Our process for granting system access is to have the application owner approve it, and then IT sets the authority in place.
Internal Audit says they do not need to have the application owner involved, and that their request to IT is sufficient, if their access is read-only. My concern is that a lot of damage can be done with read-only access. Additionally, Internal Audit is against having their access requests reported to the IT Steering Committee or Board.
I can understand if this is needed for a confidential manner. Outside of that, it seems like we're missing a proper control here. Am I off base? How do other bankers handle this?
Thanks!