This is actually counted as vulnerability by our security scanners and therefore to satisfy Audit needs
My experience with security scanners is that when they find a vulnerability they point us to a knowledge base article that describes the issue and also provides instructions on how to fix it. Go back to your auditors and ask them to review the scan report and contact the scanner software support team if you have to, and ask them for instructions on how they expect you to fix this.
Powershell is Microsoft's solution to provide a common framework for supporting the Windows OS. The problem that they recognized was that there were multiple executables like ipconfig.exe and netsh.exe and they all had different command line interfaces. And the classic .bat/.cmd language was just archaic. But they had to leave those programs in place to allow for compatibility for existing users.
I've seen malware that uses Powershell to do a base64 encoding and hide itself inside of WMI. That is likely what the scanner is trying to address. But if Powershell.exe is a vulnerability, then so is cmd.exe, and cscript.exe, and csc.exe, and wmic.exe and just about about every other executable in Windows\System32.