Hello,
I presume the auditors require a Business document (i.e. not just a technical dump from the system) stating the content of the rule set, and importantly documenting the decisions behind recognising the risks within the business. Your Internal Controls team "in theory" should be taking care of this.
However, if no document exists, at least get your technical rule set documented on paper/file (like how any technical solution is documented via a Design/config Document etc).
As to how the business develops this Business document, is up to you (i.e. a text based Design document detailing all the definitions etc and justifications etc etc and embedded matrices etc).
I am sure your auditors may be able to guide you on the type of business documents they accept 
All the best.