Taking a step back, here is a thought from my side explaining from Citation and Policy level.

Conceptually, a Citation and Policy might be different. But operationally, as I see in the Policy and Compliance module and subsequent usage in the Audit Management module, they are similar.

Citations are like various sections of an Authority Document. Service-Now GRC offers various UCFs which upon import create Authority Document and corresponding Citations under each Authority Document.

E.g. Authority Document can be COBIT 4.1; Citation can be AI6 - Manage Change ; Policy Statement can be - "Every change should have a formal approval".

Policies are something which are internal to an Organization for Internal Audits and and some times are published to ensure compliance to external Regulatory requirements too.

E.g. Policy - Change Management Policy; Policy Statement can be - "Every change should have a formal approval".

Thus Policy Statements are below Citations or Policies.

They detail what is expected by a Citation or Policy for a successful compliance.