Browse Certification Practice Tests by Exam Family

ISACA AAIA Sample Questions & Practice Test

May 1, 2026

Try 12 ISACA Advanced in AI Audit (AAIA) sample questions on AI governance, audit planning, model risk, data quality, controls, evidence, monitoring, and reporting, then use the Notify me form for AAIA practice updates in IT Mastery.

On this page

ISACA Advanced in AI Audit (AAIA) is a focused credential path for professionals who need to audit AI governance, data, models, controls, monitoring, and accountability.

These original sample questions preview the control-reasoning style an IT Mastery practice route should use. They are not official ISACA exam questions.

What this route should test

  • planning an AI audit from business objective to model use case
  • evaluating data quality, model change control, explainability, and monitoring
  • distinguishing design evidence from operating-effectiveness evidence
  • reporting AI risks without overstating assurance

Sample Exam Questions

Question 1

Topic: audit scope

An internal audit team is asked to review a customer-scoring AI model. What should be established first?

  • A. The color of the dashboard
  • B. The business objective, model use case, risk appetite, and control objectives
  • C. The model vendor’s marketing slogan
  • D. A list of unrelated infrastructure tickets

Best answer: B

Explanation: Audit scope should start with purpose, use, risk, and control objectives. Without that context, testing may miss the controls that matter.

Question 2

Topic: data quality

Training data contains missing fields and historical bias indicators. What is the best audit concern?

  • A. Missing values always improve predictions
  • B. Bias indicators are irrelevant in all AI audits
  • C. Data quality only matters after deployment
  • D. Data issues can affect model reliability, fairness, and control effectiveness

Best answer: D

Explanation: Data quality and representativeness influence model behavior. AI audit work should evaluate how the organization identifies, remediates, and monitors data risk.

Question 3

Topic: evidence

Management provides a policy saying models must be validated, but no validation records exist for the reviewed model. What does the auditor still need?

  • A. Evidence that the control operated for the specific model
  • B. A longer policy document only
  • C. A screenshot of the model name
  • D. No evidence because the policy is enough

Best answer: A

Explanation: A policy supports control design, but operating effectiveness requires evidence that the control actually occurred for the population or sample tested.

Question 4

Topic: model change

A model was retrained after deployment without approval or version history. What risk is most direct?

  • A. The model has too much documentation
  • B. The model cannot be monitored
  • C. Unauthorized or untested changes may alter model behavior
  • D. All AI changes are automatically low risk

Best answer: C

Explanation: AI model changes need versioning, approval, testing, and rollback planning. Uncontrolled retraining can change output quality and risk exposure.

Question 5

Topic: explainability

Business owners use model outputs to make adverse customer decisions. What should the auditor review?

  • A. Whether the model file name is short
  • B. Whether explanations, decision rationale, and challenge processes are appropriate for the use case
  • C. Whether users like the model icon
  • D. Whether model documentation can be hidden

Best answer: B

Explanation: High-impact decisions require understandable rationale, governance, and recourse or challenge processes when appropriate.

Question 6

Topic: monitoring

The model’s accuracy declined after a market change, but alerts were not reviewed. What control gap is indicated?

  • A. Accuracy should never be monitored
  • B. Alerts are unnecessary after deployment
  • C. The model is always correct if trained once
  • D. Monitoring existed but the response process did not operate effectively

Best answer: D

Explanation: Monitoring controls need thresholds, ownership, investigation, and remediation. Alerts that no one reviews provide weak assurance.

Question 7

Topic: third-party AI

A vendor provides an AI service, but the organization cannot obtain basic information about training data, security controls, or model-change notices. What should audit report?

  • A. Vendor-risk and transparency limitations affecting assurance
  • B. No issue because vendors are always outside audit scope
  • C. A guarantee that the model is safe
  • D. Only the purchase price

Best answer: A

Explanation: Third-party AI still creates organizational risk. Auditors should report limitations that affect governance, security, compliance, and monitoring.

Question 8

Topic: access control

Developers can directly alter production model parameters without review. Which control is most relevant?

  • A. Larger training data only
  • B. A new project logo
  • C. Segregation of duties and approved change workflow
  • D. Removing audit trails

Best answer: C

Explanation: Production AI changes should be controlled through authorization, segregation, testing, logging, and monitoring.

Question 9

Topic: audit reporting

An auditor finds that model monitoring is immature but improving. What wording is most appropriate?

  • A. Say the entire AI program has failed
  • B. State the condition, risk, evidence, impact, and agreed action without claiming broader assurance than tested
  • C. Ignore the issue because work is ongoing
  • D. Promise that no AI errors can occur

Best answer: B

Explanation: Audit reporting should be evidence-based and proportionate. Findings should describe tested scope, risk, root cause, and management response.

Question 10

Topic: privacy

An AI use case processes personal data beyond the original stated purpose. What should audit examine?

  • A. Only the model’s speed
  • B. Whether the data table has many columns
  • C. Whether the output looks modern
  • D. Lawful basis or authorization, purpose limitation, consent where needed, and data-minimization controls

Best answer: D

Explanation: Privacy risk is central when AI changes how personal data is used. Audit should test governance and controls around authorized purpose and minimization.

Question 11

Topic: control design

A control requires quarterly model-risk review, but there is no owner assigned. What is the main weakness?

  • A. The control may be poorly designed because accountability is unclear
  • B. Ownership is never needed for controls
  • C. Quarterly review is too frequent in all cases
  • D. The control is automatically effective

Best answer: A

Explanation: A control without ownership is unlikely to operate consistently. Design adequacy includes responsibility, timing, evidence, and escalation.

Question 12

Topic: audit independence

The audit team is asked to design the model-risk controls and later audit them. What is the concern?

  • A. The audit will be faster
  • B. It eliminates all model risk
  • C. Independence and objectivity could be impaired
  • D. It proves the controls are effective

Best answer: C

Explanation: Audit may advise on control expectations, but designing and then auditing the same controls can impair independence.

Revised on Monday, May 18, 2026
AI Risk Management