Is there a way to grant internal auditors access to all data objects (risks, controls, etc.) without making them system Admins?
You should be able to do so, yes. Have a look on how to limit users access (Configuration guide) and who sees what when loading an “index” under the Visualisation features:
The next release makes this two features better by allowing the use of multiple groups…next week we’ll show how that is done.
Have a look on those two guides and let us know if you need further help