Vlad Bitwarden, which seems to use whatever settings you used before as your defaults.
I had turned off special characters, as a lot of (badly designed) sites don’t accept those. Length, capitals and similar were all OK.
I would take that “security audit” with a few pinches of salt if they are pushing for prescriptive policies. The best possible outcome is that the user has a complex password (or phrase!) that isn’t reused elsewhere (or at least isn’t too widely reused…). When you mandate numbers, that tends to give you obvious leetcode substitutions, or a 2 digit year of birth at the end of the password. When you force a special character, it’s usually a . or ! at the end, after the 2 digit number. Just pure length of password will do a lot more to secure it, than adding character constraints. Hence the famous xkcd