Security requires an annual report, as does IT. That doesn't necessarily mean an audit is required, but you have to know what to talk about somehow. So an audit doesn't hurt, but as in Security, there are other items to discuss.
I think this is much like training and policies. There are a few requirements that you must hit. But it is assumed you'll do so much more just out of necessity, risk, safety and soundness, common sense, etc.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell