(2) Identity verification procedures. The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the bank to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, and customer base. At a minimum, these procedures must contain the elements described in this paragraph (b)(2).
The specific suggestion for bank or enterprise wide and OFAC risk assessments is the product of the BSA/AML examination handbook. The prefatory CIP risk assessment was actually required by regulation above. Note that it does not suggest a repetitive exercise, but repetition would be prudent.
There is no reason why you cannot conduct a single risk assessment that incorporates each element of risk; common sense would suggest it is the preferred approach. More to the point, there is a dramatic amount of overlap between appendices J and M describing the relevant matrices; some of the questions are repetitive. Just make certain you mention the relevant considerations for CIP and OFAC in the appropriate sections of your combined product.
I cannot reconcile your auditor's criticism with your description of your risk assessment; i.e. I think what you did is fine and there is absolutely no need for a separate document.