A better way is to design your database with a transaction API, using stored procedures.
All (and I do mean all) access to tables is via stored procedure(s). this means that when a select is carried out, the sp is invoked. The SP should correctly return the requested records, but behind the scenes it will also insert into a "designed in from the start" audit table, that such and such a user selected these records from that table at timestamp xyx. Because the SP is the only way in and out for data, audit cannot be circumvented, other that by a very privileged user, e.g. a DBA.
Note that even what I've just said is the barely acceptable minimum. Since a business wants business process audit, a table by table audit is almost useless, where for example, a single transaction updates 50 data in 20 tables. Only a wizard could correlate 50 timestamps from these tables and mentally build up a picture of the business process which must have caused it.
I imagine that your employers want functional audit, so build that into your transaction API, not table audit, unless you are truly hard-pressed.
There is one far more knowledgeable that I, who has chapter and verse on this at
Don't get confused with a table API (which is quite rightly panned) Tom advocates a transaction API. Unfortunately I have seen both of these abbreviated to TAPI, which is highly confusing, I admit.
If you do what tom proposes, build a table API, which is called by the transaction API (this is the best solution, but naturally, most work). The users are only given access to the transaction API. The application will know nothing of the underlying data tables.
If you build a transaction API which accesses tables directly, this is still great, just not quite as good as doing both transaction and table API's.
Even though the discussion is Oracle-centric, the principles still apply to other technologies, e.g. sql server and my sql.
Grinding away at things Oracular