Isaca AAIA - ISACA Advanced in AI Audit (AAIA)

When using generative AI tools during audit activities, the most critical concern is the reliability and appropriateness of the information being entered and processed. According to the AAIAâ„¢ Study Guide, auditors are accountable for ensuring that audit data is valid, confidential, and that generated outputs are factual and verifiable.

“IS auditors must evaluate whether the information entered into AI tools is reliable and appropriate for the audit context. Inputting sensitive or unverified data may lead to regulatory violations or audit inaccuracies.”

While hallucinations (C) and privacy notices (B) are important concerns, the primary auditor responsibility is to ensure that source data is accurate and suitable. Therefore, D is the correct response.

Precision measures the proportion of true positives among all positive predictions. A low precision rate indicates a high rate of false positives. The AAIAâ„¢ Study Guide recommends using precision when the goal is to minimize incorrect positive alerts, which is especially relevant in fraud detection, cybersecurity, and classification models.

“Precision is the key metric when false positives have a significant operational cost. It provides insight into the model’s ability to avoid incorrect positive classifications.”

Accuracy and recall give broader insights, but only precision directly measures false positive risk. Completeness is not a standard ML metric.

Generative AI excels at synthesizing large datasets and technical documentation into understandable insights. The AAIAâ„¢ Study Guide recommends leveraging generative AI to identify domain-specific risks and control considerations by analyzing complex environments and correlating them with industry risk patterns.

“AI can assist auditors during planning by generating tailored risk profiles for technologies under review, helping prioritize audit focus and scoping.”

While summarizing interviews (D) and creating diagrams (B) are helpful, only C directly informs audit planning with actionable intelligence. A (separation of duties) is a later-stage control assessment.

According to the AAIAâ„¢ Study Guide, the first action in response to a confirmed or suspected data exfiltration attack should be containment. Isolating impacted systems helps prevent further exploitation while allowing for a secure investigation of the breach source.

“The initial response to any AI-related data breach must prioritize containment of the threat. Immediate isolation of affected systems helps mitigate further damage and supports a controlled forensic analysis.”

While regulatory notification (D) and architectural remediation (C) are important, they follow containment. Query limitations (A) reduce future risk but do not address the current attack. Thus, B is the critical first step.

The AAIAâ„¢ Study Guide recommends using validation tools to fine-tune and evaluate ML models, particularly when high false positives undermine operational efficiency. ML validation can identify threshold adjustments, retraining needs, or feature misweighting contributing to excessive alerting.

“Model validation enables organizations to quantify performance, reduce false alarms, and recalibrate AI behavior to align with operational needs and threat landscapes.”

While logs (A) and benchmarks (B) help with diagnosis, they don’t improve the model. Penetration testing (C) evaluates detection, not alert noise. D is the most effective solution.

Sudden and unexplained changes in AI-generated credit scores may result from data drift, model overfitting, or lack of recalibration. According to the AAIAâ„¢ Study Guide, regular expert review and calibration help maintain model reliability and transparency, particularly in high-stakes decisions like credit scoring.

“Ongoing human oversight ensures that predictive models remain stable and justifiable. In high-impact environments, such as banking, experts must review and recalibrate AI systems to prevent opaque or unexpected behavior.”

Option B may cause the exclusion of relevant long-term patterns. C promotes risk by removing oversight. D is a validation strategy, not a stability control. Therefore, A is the best option.

Using AI to make employment decisions such as driver termination or retention introduces significant ethical risks. If based solely on performance metrics without context or human review, such systems can lead to unfair treatment or discrimination—violating principles of transparency and due process.

“Automating workforce decisions must be approached cautiously to prevent discriminatory outcomes. Ethical AI governance requires oversight when AI is used for employment-impacting decisions.”

A, C, and D involve business optimization without directly affecting individual employment rights. Therefore, B poses the greatest ethical risk.