That depends on time, talent and size and the operation's complexity.
Many audits I've been involved with, audit functions, and it is easier if there were separate projects - audit by reviewing and ensuring the adequacy of the policies, then procedures to determine if they cover what the policy says, then audit the department's compliance with the procedures. You can give an assessment of the processes, controls and effectiveness of both at that point. It's also easier to track progress. Make sure you look at how updates to regulations are being addressed.
The ultimate decision rests with the Audit Committee - they should be calling the shots.
Integrity. With it, nothing else matters. Without it, nothing else matters.