Hi Dave,
Sounds like role assignment problem, and maybe your security team is missing something.
In my opinion, the best choice is to create the new user as you mentioned in your post and ensure that the roles are assigned correctly.
Also, try checking the permissions by yourself (if possible) in PFCG and compare the roles in DEV and QA systems.
Have you checked SU53 for this user?
Regards.