Re-reading your original post:
4.9.3 Any change or correction to a CRF should be dated, initialed, and explained (if necessary)...
An audit log would accomplish dated via its timestamp. You could probably argue that all changes made between the audit log's 'sign-in' and 'sign-out' are effectively initialed [or worst case, you'd add the userid explicitly to each change entry]. But I dont really see any reasonable way to start inserting user comments into the (background) audit log, as necessary to explain potentially every change! I think that might to almost require a parallel form (ie option 4) and hence would pretty much rule out using an audit log, right?