Policies need reviewing every few years as things change so updates are required to keep them current and they then need to be communicated to the entire organization. Security does not work if everyone is not aware ot what it is or what they should be doing.

As fas as audting your network, this requires a qualified objective person who is either oustide the group or organization.

Lastly be prepared when you go through your first audit, it will be painful and do not be surprised by the number of issues found.