About the first point, we can classify audits to compliance audits and non-compliance audits.About the second point, it kinds of correspond to test of design (TOD) or design effectiveness test (DET), auditor checks the control design of something. For example, an auditor checks a physical access control design to a data center. S/he finds areas with access card control and guards but no CCTV. S/he might find the design a bit lacking and then recommend them to install CCTVs. Checking existing policies and procedures is TOD.The third point kinds of correspond to test of effectiveness (TOE) or operational effectiveness test (OET), auditor checks whether the designed controls are working and effective. For example, the auditor might find through observation that the guards are sometimes not in their places for an extended period. The auditor should check both technical controls and nontechnical controls.
In a compliance audit, the auditor checks whether the design complies with regulations (TOD), and then check the implementation of the control design (TOE).
In a non-compliance audit, the auditor evaluates the design using existing frameworks and standards as references, such as TIA 942 (TOD). After that s/he checks the implementation of existing control design (TOE).
Auditor should do both TOD and TOE (point 2 and 3?), only doing TOD is not enough and might lead to false assurance. Only doing TOE.. err... I guess it's not systematic not prudent?