I prepared so much for our audit and the only thing this guy cared for in a 5 developer company was the fact that I had root access on all environments.
He didn't care about Aws having 2fa configured about our vlan ipsec Tunnel, etc
I even took the liberty to fix the md5 Passwort shit with bcrypt just before the audit...
It might be something similar as it is in software development.
At the end of the day it is a job.
But when you part of the 1% of the good people you have your team and more leaway and potentially get called for the more critical and more interesting things.
But non the less with 5 people what audit system would be even available in which only one person has access.
All smart concepts cost either a lot of money or just don't work if you don't have enough people.
Should the only techlead have access to the audit system? Probably. Should the only techlead have access to VMs? Probably yes.
I made sure my systems are encrypted, 2fa wherever possible, no external systems besides the services.