I have an OTS compliance exam coming up and what they ask for is:
Sample initial notice
Sample initial and annual notices
Notice to existing customers
If using a short form, a copy of the long form of notice provided upon request
Any separately provided opt-out notice and procedures for providing it.
I would also include evidence of Board approval, I think the board had to designate a responsible officer and you should check whether everyone was trained on the privacy program. Oh, don't forget information security.
Just my thoughts - I don't have any workpapers yet either.
_________________________
My opinions are not legal advice and are worth what you paid for them.