Any audit (or independent testing) should be risk based, based on the size and complexity of the organization. That said, I agree with Monster that looking only at the written policies and procedures without conducting actual testing for compliance wouldn't be enough.
To back this up, look at the CFPB's SAFE Act exam procedures here:
https://files.consumerfinance.gov/f/201203_cfpb_update_SAFE_Act_Exam_Procedures.pdf. You will see that the exam procedures specifically say this:
"If the institution has failed to adopt policies and procedures and to perform annual independent compliance tests, the examiners should address the violation in the examination report and require corrective action." As you can see, they specifically call it "compliance tests" rather than "a review of policies and procedures."
The exam procedures would also be a great starting point for you to base your annual independent review.
_________________________
Adam Witmer, CRCM
All statements are my opinion, not those of my employer, and should not be taken as legal advice.
www.compliancecohort.com