In my last post, I described how 2 security teams not only failed to review access to a major security app for 2 years but then made administrative-level security access changes on the fly with no approved ticket–actually, no ticket at all.
Neither the security team admins or the business team admins thought this was a problem, even after I questioned it and told them I was from internal audit.
ITauditSecurity 