OCIO management should design and implement a process to ensure access control documentation, such as application user listings with the required data elements (i.e., account creation and recertification dates), is retained to support its system of internal controls and operational needs as required by GAO standards.