Which document should an IS auditor first reference when performing an audit?

The first document an IS auditor should reference when performing an audit is the approved policies. Approved policies serve as the foundation for the governance framework of an organization. They establish the organization's approach and commitments regarding information security, risk management, compliance, data protection, and overall operational integrity.

These policies provide a high-level outline of what the organization deems important and guide the implementation of more detailed procedures, standards, and practices. They represent the official stance and management's directive on how certain issues should be addressed, making them crucial for auditors who need to assess whether the organization's practices align with its stated objectives.

By starting with approved policies, the auditor can understand the intended governance framework, enabling them to measure compliance and effectiveness of implemented procedures and internal standards in relation to the organization's goals and regulatory requirements. This ensures that the audit process is aligned with the organization's strategic objectives and risk appetite.