looking at an audit from inside of JDE only (eliminating all of the factors such as infrastructure and AD permissions etc) you can expect an auditor to look at:
*who has access to critical programs (master data management programs such as item master, address book master, supplier master etc) in Production
*who has access to create, enable or modify user profile
*who has access to security and CNC tools especially OMW configuration and permissions
*documented approvals for system changes including new user setup, role access changes, and object promotions
*extracts of the security, user, role relationship, and environment access tables
*if you are publicly traded then you also add SOX compliance into the mix