As for your policy, there should be no need to include this level of detail. Policies are meant to cover the high-level rules and requirements only.
From the comments listed (checklist), it sounds like your auditor is referring to your procedures. And if you are using a procedures checklist, once you have implemented the requested steps mentioned by the auditor, adding them to your checklist should suffice. But, I would love to hear suggestions from other members.
Is there a legal/ management review of contracts currently being done? If so, you could simply add a line to the policy stating, "Legal/ Management will (may?) review all (high risk) vendor contracts where appropriate." and then make sure the details are in your procedures.
Assuming you have the legal/ management step in place, I don't think the Policy needs to be updated until it is scheduled to be reviewed by the board, i.e., it doesn't need to be a new/ separate agenda item at the next Board meeting. In that case, your audit response could be, "The procedures outline the detail and the updated policy will be presented to the Board for approval XX/XX/XXXX." But remember, unless there is a violation of law or a regulation, you don't have to implement everything an auditor recommends. Assuming you do a written response to the audit, you could state, "We don't feel this belongs in the policy but it is addressed in procedures."