(i) Complete, audit-proof logging of system activities, changes, and approvals—e.g., via SM20, STAD, SUIM. (ii) Audit-proof documentation of system access, data migrations, and configurations.