The most restrictive type of audit in terms of control choice is Payment Card Industry Data Security Standard (PCI DSS). Under PCI DSS, you must implement all the controls as described. Skip a control or implement it inadequately and you do not meet the standard.
The reason PCI DSS is far more restrictive is because it is centered on payment cards and payment card processing, which have well-known risks and well-understood IT systems. Therefore, PCI DSS can skip over some of the risk analysis and scoping exercise needed for other types of audits, and focus on the controls that the PCI council believes works the best to protect payment cards.