Enterprise Password Review

From our last external IT audit, it was recommended that there be a review of Institution password standards and controls. I'm attempting to build this program and was curious if anyone else had something I could use as a building block?  Thanks