What should an IS auditor FIRST reference when conducting an IS audit?

When conducting an IS audit, the first reference an IS auditor should consult is the approved policies. This is because approved policies provide the foundational framework for the organization's approach to information security, governance, and overall risk management. They are formally documented and endorsed by management, making them crucial for setting expectations and establishing the rules and guidelines that govern the organization’s operations.

Policies define the organization’s strategic objectives, security posture, and compliance requirements, which guide the implementation of various procedures and internal standards. By starting with the approved policies, an auditor ensures their evaluation aligns with the organizational goals and objectives, as well as regulatory requirements.

Furthermore, while implemented procedures, internal standards, and documented practices are important for understanding how policies are put into action, they are secondary to the policies themselves. Assessing these elements in light of the approved policies enables the auditor to evaluate whether the organization is adhering to its intended frameworks and objectives. This comprehensive understanding helps in identifying gaps, risks, and areas for improvement within the IS system.