You are free to disagree with your auditor about the need for a policy on any topic where it is not mandated by law or regulation. A written RFPA policy is not a legal requirement and most community banks do not have one. It would only be cost justified if your bank received lots of demands for information from the federal government.
Your bank (every bank) does have a practical need for written procedures addressing how to handle third party demands for customer funds and information including demands and inquiries from law enforcement. Demands from the federal government should be included there, but there is no need to treat them separately - most of your procedures for delivering funds and information to third parties will be the same no matter who the third party is. The specific requirements of RFPA; e.g. obtaining certifications, will be no more than footnotes to your everyday procedures.
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.