iwlist (8) and other wireless tools provide a common interface for different wireless device drivers that support Linux Wireless Extensions (WEXT). Each driver registers handlers using WEXT, which implement device-specific operations defined by this interface. Two handlers for scanning are scanning a trigger (SIOCSIWSCAN command) and receiving scan results (SIOCGIWSCAN command). After the scan is completed, the device sends the SIOCGIWSCAN event to WEXT via netlink. An application listening on this socket can then issue the SIOCGIWSCAN command to receive scan results from the device. Please note that the device is free to scan as it chooses. For example, it can passively listen to beacons or actively scan by sending sounding requests.
The above is clearly vague in the mechanics of sending commands to the device, because there is a traditional way (ioctl) and a new way (netlink - cfg80211). But to take a concrete example, consider the traditional way. Ioctl calls are implemented in the WEXT module, but the code that processes this command is implemented in the device driver. When the user-space application creates ioctl, WEXT looks at the device driver handler and launches it.