In situations like this, when an auditor makes a claim that something is required, it is like looking for a needle in a haystack. I would go back to the auditor and say that you would be glad to comply, but they need to provide you the legal or regulatory source for this recommendation. Otherwise, it is purely a risk based decision and up to management to decide.
_________________________
The opinions expressed here should not be construed to be those of my employer:
PPDocs.com