What auditing considerations should be documented in Epic End User configurations?

• A. Only the date of the change.
• B. Only the user who requested the change.
• C. Only whether the change succeeded.
• D. What was changed, who changed it, when, why, and verification of effect on user access.

Answer: (D)

Auditing end-user configuration changes is all about traceability from start to finish. You need to know exactly what was altered, who made the change, when it happened, why it was requested or approved, and what the post-change reality looks like in terms of user access. This full picture lets security and compliance teams verify that permissions align with policy, that no unnecessary access was granted, and that changes can be reviewed and reproduced if questions arise later. Merely recording a single detail, like the date or who requested the change, or whether the change succeeded, misses critical context about the exact modification, the justification, and the verification that the change produced the intended effect on access. For example, if a user gains access to a restricted function, you must document the exact permission added, who authorized it, when the change occurred, the reason, and the results of testing to confirm the user now has the appropriate access without exposing broader permissions.