1,155 original practice questions for the ISACA Advanced in AI Audit exam. Written by a CIO who passed in the first global cohort — not a content team, not a licensed question bank.
The ISACA Advanced in AI Audit (AAIA) exam has 90 questions and a 150-minute time limit. It is scored on a 200–800 scale with a passing score of 450. Questions are scenario-based — they present a situation and ask you to apply judgment, not recall a definition. The exam tests three domains, weighted unevenly.
Covers AI strategy, governance frameworks, risk identification, and the regulatory landscape. Tests your ability to evaluate AI policies, assess organizational AI risk posture, and apply frameworks including NIST AI RMF, ISO/IEC 42001, EU AI Act, and OECD AI Principles.
The heaviest domain. Covers AI system lifecycle management, model monitoring, data governance, bias detection, explainability, and incident response. Most IT auditors struggle here because it requires understanding how AI systems behave in production, not just how they are designed.
Covers audit methodology applied to AI systems: planning AI audits, gathering evidence, evaluating controls, and reporting findings. Tests practical audit skills in the context of AI rather than traditional IT systems.
Domain 2 carries 46% of the exam weight and is where most candidates underperform. It requires understanding how AI systems behave in production — model drift, bias detection, explainability, and monitoring — not just how they are governed on paper. AAIA Prep's Weakest Subject mode identifies your Domain 2 gaps and surfaces those questions automatically.
The AAIA exam references 21 AI governance frameworks by name. Knowing which framework applies to which scenario is tested directly. AAIA Prep includes a full framework library mapping each of the 21 to the exam domains where ISACA tests them.
These questions are written to ISACA exam difficulty — scenario-based, framework-mapped, and aligned to the current AAIA content outline. The full app has 1,155.
1. An organization is deploying a large language model to assist with customer service decisions. The AI governance committee wants to ensure the model meets regulatory requirements. Which framework would BEST guide the committee in establishing a risk-based AI governance structure?
The NIST AI Risk Management Framework (AI RMF) is specifically designed to help organizations govern, map, measure, and manage AI risks. ISO/IEC 27001 addresses information security broadly. COBIT 2019 covers IT governance but is not AI-specific. ITIL 4 is a service management framework. The NIST AI RMF's four core functions — Govern, Map, Measure, Manage — directly address the committee's need for a risk-based AI governance structure.
2. During an audit of an AI-based loan approval system, an auditor discovers that the model produces significantly different approval rates across demographic groups. The model's training data reflects historical lending patterns. Which risk is MOST directly illustrated by this finding?
Algorithmic bias occurs when an AI system produces systematically unfair outcomes due to biased training data, model design, or both. Historical lending data that reflects past discriminatory practices will encode those patterns into the model. Overfitting describes a model that performs well on training data but poorly on new data. Data poisoning is a deliberate attack on training data. Concept drift refers to model degradation over time as real-world patterns change. The demographic disparity in approval rates is a direct indicator of algorithmic bias.
3. An AI model used for fraud detection was performing well at deployment but its precision has declined significantly over the past six months despite no changes to the model. The MOST likely cause is:
Concept drift occurs when the statistical properties of the input data change over time, causing a previously accurate model to degrade. Fraud patterns evolve — new attack vectors emerge, user behavior shifts — and a model trained on older patterns loses precision. An adversarial attack would typically cause sudden, not gradual, degradation. Explainability controls and model card documentation are governance practices that do not directly affect model precision.
4. Under the EU AI Act, which category of AI system requires a conformity assessment before deployment?
The EU AI Act classifies AI systems into risk tiers. High-risk AI systems — including those used in critical infrastructure, employment decisions, credit scoring, and biometric identification — must undergo a conformity assessment before being placed on the market. Minimal risk systems face no mandatory requirements. Limited risk systems require transparency obligations (e.g., disclosing that a user is interacting with an AI). General purpose AI models have their own obligations under the Act but are governed by a separate chapter.
5. An IT auditor is planning an audit of an organization's AI model development process. Which audit procedure would BEST evaluate whether the organization has adequate controls over training data quality?
Training data quality controls are best evaluated by examining data lineage documentation (which tracks data origin, transformations, and handling) and data validation procedures (which verify completeness, accuracy, and consistency before training). Reviewing performance metrics evaluates model output, not the data controls that produced it. SHAP values assess model explainability, not data quality. An incident response plan addresses post-deployment issues, not training data governance.
The full app has 1,155 questions across all three domains, 8 study modes, a full mock exam, and 200 flashcards.
Download AAIA Prep Free20+ years in IT leadership. CIO at Kansas City Kansas Community College for eleven years, dual CIO/CISO at Grantham University for three. D.M. in Organizational Leadership, executive certificates from MIT Sloan and Carnegie Mellon. Six active credentials: AAIA (first cohort globally), CISA, CISM, CRISC, CISSP, and PMP.
Every question in AAIA Prep was written by Dr. Abouelenein — scenario-based, framework-mapped, and aligned to the current AAIA exam content outline. Nothing was adapted from a study guide or licensed from a third party. His forthcoming book, The AAIA Certification Guide, is among the first practitioner guides to the credential.
The ISACA Advanced in AI Audit (AAIA) exam has 90 questions and a 150-minute time limit. Questions are scenario-based and test applied knowledge across three domains rather than memorization of definitions.
The AAIA exam covers three domains: AI Governance and Risk (33%), AI Operations and Monitoring (46%), and AI Auditing Tools and Techniques (21%). Domain 2 carries the most weight and is where most candidates struggle.
ISACA's AAIA exam references 21 AI governance frameworks by name. These include NIST AI RMF, EU AI Act, ISO/IEC 42001, OECD AI Principles, UNESCO AI Ethics, and 16 others. The AAIA Prep app covers all 21, mapped to the exam domains where ISACA tests them.
ISACA uses a scaled scoring system for the AAIA exam, ranging from 200 to 800. The passing score is 450. AAIA Prep's mock exam uses the same 200–800 scale so you can calibrate your readiness before sitting the real exam.
ISACA offers a 12-question free practice quiz on their website. AAIA Prep includes 50 free practice questions and 20 free flashcards with no account required. The full 1,155-question bank, all 8 study modes, and the full mock exam are available after upgrading.
Preparation time varies by background. CISA holders with active audit experience typically need 6–10 weeks of focused study. Candidates newer to AI governance frameworks may need 10–14 weeks. The AAIA Prep app's Weakest Subject mode targets your specific gaps automatically, which compresses preparation time compared to linear study.
CISA (Certified Information Systems Auditor) covers traditional IT audit across five domains including IS governance, acquisition, operations, and asset protection. AAIA (Advanced in AI Audit) is a specialized credential focused specifically on auditing AI systems — their governance, operational risks, bias, explainability, and regulatory compliance. AAIA builds on audit fundamentals but requires knowledge of AI-specific frameworks and risks that CISA does not test.
Every question in AAIA Prep was written by Dr. Baz Abouelenein — a CIO who passed the AAIA exam in the first global cohort, alongside CISA, CISM, CRISC (all ISACA), and CISSP (ISC2). The questions are original, scenario-based, and aligned to the current AAIA exam content outline. Nothing was adapted from a study guide or licensed from a third party.
No account required. 50 practice questions and 20 flashcards at no cost. The full 1,155-question bank, all 8 study modes, and the full mock exam are one upgrade away.
Download AAIA Prep FreeiOS only. Android beta available — join the waitlist.