Which of the following is the BEST way to ensure data fed into an AI model aligns with business objectives?
Correct Answer: C
Documenting data input requirements (option C) ensures that all incoming data supports the business purpose, operational constraints, and intended use cases of the AI model. AAIA highlights that aligning AI systems with business objectives starts withclear data specifications, including: * Required fields and data formats * Data quality thresholds * Acceptable ranges and constraints * Mandatory attributes * Source system definitions * Business rationale for each feature Without documentation, data pipelines may ingest irrelevant, low-quality, or misaligned data, causing the model to drift away from business needs. Normalization (A) improves preprocessing but does not ensure alignment. Switching data sources (B) is premature without evaluating needs. Defining new attributes (D) is secondary to documenting overall requirements. References: AAIA Domain 1: Business Alignment and Data Requirements AAIA Domain 2: Input Specification Governance
AAIA Exam Question 12
An IS auditor is reviewing an AI application that uses customer data to refine the organization's marketing outreach strategies. Which of the following should be the auditor's PRIMARY focus during this review?
Correct Answer: C
Since the AI system processes customer data-including potentially personal, sensitive, or behavioral data- the auditor'sprimaryfocus must beprivacy compliance(C). AAIA identifies privacy violations as one of the highest-risk areas for organizations using AI. The auditor must ensure: * Data collection follows lawful basis requirements * Customers gave proper consent (if required) * Processing adheres to data minimization and purpose limitation * Storage and retention policies meet regulatory standards * Data subjects' rights (access, correction, deletion) are protected * Third-party or cross-border transfers are compliant Access controls (B) matter but are secondary to ensuring the data is legally collected and processed. AI strategy alignment (A) is governance-related, not risk-critical. Escalation protocols (D) support incident response but come after confirming lawful processing. References: AAIA Domain 5: Data Privacy, Lawfulness of Processing AAIA Domain 1: Privacy and Data Governance Programs
AAIA Exam Question 13
Which of the following should be an IS auditor's GREATEST concern when using a predictive AI tool to analyze data abnormalities?
Correct Answer: A
For apredictive AI tool analyzing abnormalities, the GREATEST concern is therate and impact of false positives and false negatives(A). False positives can lead to unnecessary investigation, while false negatives mean true issues (e.g., fraud, control failures) remain undetected. From an assurance perspective, false negatives are especially critical because they directly undermine audit objectives. AAIA underscores that key performance metrics (e.g., precision, recall) and error trade-offs are essential in evaluating AI tools used in audit. Integration ease (B), speed (C), and cost (D) are important practical considerations but are secondary to whether the toolaccurately identifies or misses significant anomalies. Therefore, error behavior-false positives and false negatives-represents the primary risk to audit quality. References: ISACA,AAIA Exam Content Outline- Domain 3: AI in Audit Processes; Domain 2: AI Operations (model performance metrics and risk). ISACA analytics guidance on evaluating AI tools using precision, recall, and error analysis in audit contexts.
AAIA Exam Question 14
An organization's system development process has been enhanced with AI. Which of the following features presents the GREATEST risk?
Correct Answer: D
Allowing AI to autonomously generate code without human review introduces significant risks, including security vulnerabilities, logic errors, and noncompliance with organizational development standards. The AAIA™ Study Guide strongly advocates for human-in-the-loop oversight, particularly in automated development contexts. "AI-assisted development must include manual code reviews to ensure functionality, compliance, and security. Autonomous code generation without validation increases the risk of introducing undetected flaws." While A, B, and C involve operational risks or inefficiencies, only D constitutes a direct breach of secure development life cycle principles. Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: "AI Fundamentals and Technologies," Subsection: "AI in Software Development and Associated Risks"
AAIA Exam Question 15
Which of the following should be an IS auditor's GREATEST concern when reviewing an anomaly detection process implemented for a high-risk AI system?
Correct Answer: A
In ahigh-risk AI system, anomaly detection often serves as a frontline control to flag irregularities in input data and model behavior. TheGREATEST concernfor an IS auditor is when the processfails to identify anomalies that can bias training data(A), because undetected anomalies can fundamentally distort model learning and outputs. This can lead to systemic bias, incorrect decisions, safety risks, and regulatory breaches. Option B (lack of regular quality reviews) is serious but is partially addressed if anomaly detection is effective. Option C (infrequent updates) may degrade detection performance over time but is less critical than outright failure to detect harmful anomalies. Option D (staff training) is important for operational effectiveness but still secondary to the technical failure to catch bias-inducing anomalies. AAIA stresses that data integrity and monitoring controlsare paramount in high-risk contexts. References: ISACA,AAIA Exam Content Outline- Domain 2: AI Operations (Supervision of AI Solutions, data monitoring, and anomaly detection). ISACA AI risk materials focusing on high-risk AI oversight and data integrity.
