Yes, but is it best practice

On almost a yearly basis it seems like we have an audit for some reason. In each audit, the password policy has gotten flagged. We have a policy requiring Letters (uppers, lowers), numbers and special characters, 3 of the 4. We haven’t implemented the requirement in account policy. So each audit, a report goes to the executives with this as a highlighted item, and each time, they reject implementing what has been a company policy since the beginning of the company.
So we have this long list of external auditors who have made this recommendation. But that’s not good enough. The execs want it to be shown that its “best practice”. I guess someone is going to have to peer into he world of other companies our size and in our business and see what their password policy is. *sigh*