ISACA AAIA Practice Quiz - Free Practice Quiz

Question 1 of 60

An organization is deploying an AI-based fraud detection system. Which framework provides a structured approach to managing AI risks across the AI lifecycle, organized around the functions of Govern, Map, Measure, and Manage?

A ISO/IEC 27001 B ISO/IEC 42001 C NIST AI RMF D COBIT 2019

1 / 60

Question 2 of 60

An IT auditor is reviewing an organization's AI governance structure. Which role is primarily responsible for setting the overall AI strategy and ensuring alignment with enterprise objectives at the board level?

A Data Steward B AI Model Owner C Chief Information Security Officer D Chief AI Officer (CAIO)

2 / 60

Question 3 of 60

Under the EU AI Act, which risk tier includes AI systems that are considered to pose an unacceptable risk and are therefore prohibited?

A Unacceptable risk B Limited risk C High risk D Minimal risk

3 / 60

Question 4 of 60

An auditor is reviewing an organization's AI policy framework. Which of the following is MOST important to include in an enterprise AI policy?

A Roles and responsibilities, acceptable use guidelines, and risk governance procedures B Source code documentation for proprietary AI algorithms C A list of all datasets used to train AI models D Technical specifications for all AI models in use

4 / 60

Question 5 of 60

ISO/IEC 42001 is best described as which type of standard?

A A technical standard for AI algorithm performance benchmarking B A cybersecurity standard specific to machine learning model protection C A data privacy standard that extends GDPR to AI systems D An AI management system standard providing requirements for establishing, implementing, and improving AI governance

5 / 60

Question 6 of 60

An organization's board of directors wants to establish appropriate oversight of AI risk. Which of the following BEST represents effective board-level AI governance?

A Prohibiting the use of generative AI across the enterprise B Establishing an AI risk appetite statement and receiving regular AI risk reports C Requiring the board to approve every AI model deployment D Delegating all AI decisions to the IT department without board involvement

6 / 60

Question 7 of 60

When developing an organization's AI risk appetite, which factor should be given the MOST consideration?

A The number of AI models currently in production B The technical capabilities of the AI development team C The cost of implementing AI risk controls D The alignment of AI risk tolerance with overall enterprise risk appetite and strategic objectives

7 / 60

Question 8 of 60

An auditor is assessing an organization's AI governance maturity. Which of the following maturity model indicators suggests the HIGHEST level of AI governance maturity?

A AI projects are approved on a case-by-case basis without a formal framework B AI policies exist but are not consistently enforced C AI governance is integrated into enterprise governance with continuous improvement processes and measurable KPIs D There is a dedicated AI team responsible for all AI decisions

8 / 60

Question 9 of 60

Which ISACA framework provides the MOST comprehensive guidance for aligning AI governance with enterprise IT governance?

A ISO/IEC 42001 B NIST Cybersecurity Framework C EU AI Act D COBIT 2019

9 / 60

Question 10 of 60

An organization is establishing a new AI governance committee. Which of the following membership compositions is MOST appropriate?

A External AI ethics experts only B Cross-functional representation including legal, risk, IT, business units, and ethics expertise C Only the CISO and CIO D Only technical staff including data scientists and ML engineers

10 / 60

Question 11 of 60

An auditor notes that an organization has no documented AI risk appetite. What is the PRIMARY risk this creates?

A AI initiatives may be pursued or avoided without reference to the organization's actual risk tolerance, leading to misaligned decisions B AI projects may be technically suboptimal C AI vendors will refuse to work with the organization D The organization will be unable to purchase AI tools

11 / 60

Question 12 of 60

The NIST AI RMF 'Govern' function primarily focuses on which activity?

A Measuring AI system performance against benchmarks B Responding to AI incidents after they occur C Establishing organizational practices, policies, and accountability structures for AI risk management D Identifying and categorizing AI risks in specific deployments

12 / 60

Question 13 of 60

An organization is using a third-party AI vendor for customer service chatbots. From a governance perspective, what is the AI owner's PRIMARY responsibility?

A Managing the vendor's internal AI development team B Ensuring the vendor's AI system meets the organization's governance, risk, and compliance requirements C Writing the source code for the chatbot D Negotiating the price of the AI service

13 / 60

Question 14 of 60

Which of the following BEST describes the concept of AI risk appetite?

A The level and type of AI-related risk an organization is willing to accept in pursuit of its strategic objectives B The technical limitations of AI systems the organization will deploy C The number of AI incidents an organization tolerates per year D The maximum financial investment an organization will make in AI

14 / 60

Question 15 of 60

An auditor reviewing an AI governance program identifies that AI model decisions cannot be explained to affected individuals. Which governance principle is MOST directly violated?

A Profitability B Explicability/Transparency C Scalability D Efficiency

15 / 60

Question 16 of 60

An auditor is assessing model risk for an AI-based credit scoring system. Which risk is MOST directly associated with a model trained on historical data that reflects past discriminatory lending practices?

A Operational risk B Reputational risk C Model drift risk D Bias risk

16 / 60

Question 17 of 60

Data poisoning attacks on AI models are BEST classified under which risk category?

A Adversarial/security risk B Reputational risk C Regulatory compliance risk D Model drift risk

17 / 60

Question 18 of 60

An organization relies on a large language model from a third-party vendor. The vendor makes a significant update to the model without notifying the customer. What AI-specific risk does this MOST directly illustrate?

A Third-party/vendor model risk B Data minimization risk C Insider threat risk D Physical security risk

18 / 60

Question 19 of 60

Which of the following BEST describes model drift in the context of AI risk?

A A model that produces inconsistent results due to software bugs B A model that has been deliberately attacked by adversaries C A model that was never properly validated before deployment D A gradual degradation in model performance over time as real-world data distributions change

19 / 60

Question 20 of 60

An AI model used for medical diagnosis produces accurate results for majority demographic groups but has significantly higher error rates for minority groups. This BEST illustrates which type of bias?

A Representation bias B Measurement bias C Recency bias D Confirmation bias

20 / 60

Question 21 of 60

An auditor is evaluating an organization's management of explainability risk in AI systems. Which control BEST mitigates the risk that AI decisions cannot be explained to regulators?

A Encrypting all model outputs B Restricting AI output to internal use only C Implementing model explainability techniques such as SHAP or LIME and documenting them D Deploying only open-source AI models

21 / 60

Question 22 of 60

Under GDPR, what obligation is placed on organizations regarding automated decision-making that has legal or similarly significant effects on individuals?

A Individuals have the right not to be subject to solely automated decisions, and the right to obtain human review B Organizations must publish all model source code C Automated decision-making is prohibited in all cases D Organizations must obtain a patent for all automated decision-making systems

22 / 60

Question 23 of 60

An organization trains an AI model using customer data collected for a different purpose. Which AI risk category does this MOST directly create?

A Data privacy/purpose limitation risk B Adversarial attack risk C Operational resilience risk D Model drift

23 / 60

Question 24 of 60

An auditor finds that an AI vendor's contract does not include provisions for model performance monitoring or breach notification. This gap MOST directly increases which risk?

A Technology obsolescence risk B Financial reporting risk C Third-party AI vendor risk D Physical security risk

24 / 60

Question 25 of 60

Which of the following BEST describes the concept of adversarial attacks in the context of AI risk?

A Infrastructure outages affecting AI system availability B Deliberately crafted inputs designed to cause an AI model to produce incorrect or unexpected outputs C Attacks by competing organizations on AI market share D Random errors in training data

25 / 60

Question 26 of 60

An organization's AI model for loan approvals begins producing significantly different results after a regulatory change affects the underlying economic data it uses. What is the PRIMARY AI risk management control that would detect this?

A Incident response planning B Ongoing model performance monitoring and drift detection C Penetration testing D User access reviews

26 / 60

Question 27 of 60

An auditor reviewing AI risk management finds the organization has no process for tracking AI model versions in production. Which risk does this MOST directly create?

A Data center capacity risk B Increased licensing costs C Vendor lock-in risk D Inability to roll back to a prior model version following a performance degradation or incident

27 / 60

Question 28 of 60

Under the EU AI Act, AI systems used in employment decisions such as CV screening are classified in which risk tier?

A Limited risk B Minimal risk C Unacceptable risk D High risk

28 / 60

Question 29 of 60

An organization's AI model was found to produce racially biased outcomes. Remediation was delayed because no team owned responsibility for AI fairness monitoring. Which governance control failure does this BEST represent?

A Insufficient training data B Lack of technical capability C Excessive model complexity D Unclear accountability and ownership for AI risk

29 / 60

Question 30 of 60

Which privacy-enhancing technique allows an organization to train AI models on sensitive data distributed across multiple locations without centralizing the data?

A Encryption at rest B Federated learning C Data masking D Data tokenization

30 / 60

Question 31 of 60

An auditor is scoping an AI audit. Which of the following questions is MOST important to address first in AI audit planning?

A Who is the cloud hosting provider? B What is the business purpose of the AI system and what decisions does it influence? C What programming language was used to develop the model? D How much did the AI system cost to develop?

31 / 60

Question 32 of 60

Which type of AI testing involves providing deliberately adversarial or malformed inputs to evaluate whether the model fails safely?

A User acceptance testing B Regression testing C Integration testing D Adversarial testing

32 / 60

Question 33 of 60

An auditor is reviewing documentation for an AI system. Which artifact BEST provides a standardized summary of a model's training data, intended use, limitations, and performance metrics?

A Model card B Data dictionary C Risk register D System architecture diagram

33 / 60

Question 34 of 60

When assessing audit evidence for an AI system, which type of evidence provides the MOST direct assurance that an AI model produces fair outcomes across demographic groups?

A Fairness testing results showing performance metrics disaggregated by protected attributes B The AI developer's code comments C Vendor marketing materials D The organization's AI policy document

34 / 60

Question 35 of 60

An auditor identifies that an organization deploys AI models without any pre-production testing. Which control objective does this MOST directly violate?

A Change management and model validation before production deployment B Data classification policies C Network security segmentation D Financial reporting accuracy

35 / 60

Question 36 of 60

Which of the following BEST describes continuous auditing of AI systems?

A Automated, ongoing monitoring of AI system controls and performance that provides near-real-time assurance B Reliance on external auditors for all AI assurance C A one-time comprehensive audit performed every five years D Quarterly manual reviews of AI model documentation

36 / 60

Question 37 of 60

An audit team is preparing to report AI audit findings to the board. Which information is MOST important to include for effective board-level communication?

A Detailed technical specifications of all AI models tested B Risk-prioritized findings with business impact, root cause, and recommended management actions C The full source code review results D Statistical analysis of all model performance metrics

37 / 60

Question 38 of 60

An organization's AI audit reveals that model training logs are not retained. What is the PRIMARY audit concern?

A Violation of software licensing terms B Reduced model performance C Increased storage costs D Loss of audit trail needed to investigate model behavior, validate training processes, and support incident investigations

38 / 60

Question 39 of 60

When auditing a high-risk AI system under the EU AI Act, which control is SPECIFICALLY required by the regulation?

A Real-time public transparency reporting B Third-party social media monitoring C Open-source release of the model D Human oversight mechanisms that allow humans to monitor, intervene, or disable the system

39 / 60

Question 40 of 60

Which MLOps practice MOST directly supports auditability of AI model changes in production?

A Minimizing the number of features used in models B Using the latest available AI frameworks C Maintaining a version-controlled model registry with change history and deployment records D Maximizing model inference speed

40 / 60

Question 41 of 60

An auditor finds an organization uses AI for automated hiring decisions without any human review of rejected candidates. Which risk should be escalated as the HIGHEST priority finding?

A The AI hiring tool is more expensive than manual screening B The system uses more computing resources than budgeted C Automated rejection without human review may violate employment discrimination laws and GDPR Article 22 D The AI system may be slow during peak application periods

41 / 60

Question 42 of 60

In AI audit planning, what is the PURPOSE of conducting an AI system inventory?

A To reduce the cost of AI development B To eliminate low-value AI projects C To identify all AI systems in use, their risk classifications, and prioritize audit coverage accordingly D To accelerate AI deployment timelines

42 / 60

Question 43 of 60

An auditor is reviewing an organization's incident response procedures. Which of the following BEST indicates mature AI incident response capability?

A Defined playbooks exist for AI-specific incidents including bias events, model failures, and adversarial attacks, with assigned roles and tested procedures B The organization has never experienced an AI incident C All AI incidents are handled by the general IT help desk D AI incidents are reported only when they attract media attention

43 / 60

Question 44 of 60

Which of the following BEST characterizes the difference between functional testing and adversarial testing of AI systems?

A Adversarial testing is only relevant for cybersecurity applications B Functional testing verifies the AI system performs its intended tasks correctly; adversarial testing evaluates resilience against deliberate manipulation or edge cases C Functional testing is more rigorous than adversarial testing D Functional testing is performed by external auditors; adversarial testing is done internally

44 / 60

Question 45 of 60

An auditor observes that an organization's AI model produces different outputs for functionally identical inputs depending on the time of day. Which audit concern does this MOST directly raise?

A The model is working as intended B Data storage capacity C The AI model is too expensive to operate D Model reliability and consistency, indicating a potential issue with model stability or non-deterministic design

45 / 60

Question 46 of 60

When auditing AI systems that use third-party training data, which control is MOST important for managing data quality risk?

A Storing data in a government-approved facility B Paying more for premium data sources C Data provenance documentation, quality validation processes, and contractual data quality guarantees D Using only internally generated data

46 / 60

Question 47 of 60

Which of the following BEST describes a control objective for AI transparency?

A Maximize model prediction accuracy B Ensure AI systems outperform human experts C Minimize the computational cost of AI inference D Ensure that AI system decisions can be explained in terms understandable to affected stakeholders and that the system's operation is appropriately documented

47 / 60

Question 48 of 60

An organization's AI audit finds that the data used to train a customer segmentation model was collected in 2012 and has not been refreshed. Which AI risk does this MOST directly indicate?

A Physical infrastructure risk B Stale data risk leading to model drift and potentially outdated or biased predictions C Cybersecurity intrusion risk D Software licensing non-compliance

48 / 60

Question 49 of 60

An AI auditor is evaluating the organization's approach to AI risk assessment. Which methodology is MOST aligned with ISACA's risk-based approach?

A Treating all AI systems with the same level of control regardless of risk B Assessing AI risk based solely on technical complexity C Delegating AI risk assessment entirely to the AI development team D Identifying AI risks, assessing their likelihood and impact, prioritizing controls based on risk level, and monitoring residual risk

49 / 60

Question 50 of 60

When reviewing AI documentation, an auditor finds that the model card for a deployed AI system does not include performance metrics disaggregated by demographic group. What is the PRIMARY concern?

A The model card is too long B The model is using too much computing power C The organization cannot demonstrate the model performs equitably across demographic groups, creating fairness and regulatory risk D The documentation format does not match the vendor's template

50 / 60

Question 51 of 60

An auditor is reviewing an organization's MLOps pipeline. Which of the following represents the BEST control for ensuring only validated models are deployed to production?

A Relying on users to report performance issues after deployment B Allowing developers to deploy models directly to production to reduce deployment time C Requiring model validation approval from an independent review board before production deployment, enforced through automated pipeline gates D Deploying all models simultaneously to allow performance comparison

51 / 60

Question 52 of 60

Which of the following is MOST important when documenting AI audit findings related to model bias?

A The specific groups affected, the magnitude of differential impact, applicable regulatory requirements, and recommended remediation B The names of the data scientists who built the model C The financial cost of the biased model D The programming language used to build the model

52 / 60

Question 53 of 60

An organization uses AI to make real-time credit decisions. The AI vendor becomes insolvent. Which risk does this scenario MOST directly illustrate?

A Currency exchange risk B Third-party concentration and continuity risk C Model drift risk D Data poisoning risk

53 / 60

Question 54 of 60

An auditor recommends implementing 'human-in-the-loop' controls for a high-risk AI decision system. What does this mean in practice?

A Requiring a human to review and approve AI system outputs before consequential decisions are finalized B Replacing the AI system with human decision-makers C Using human feedback to retrain the AI model periodically D Allowing users to opt out of AI-assisted services

54 / 60

Question 55 of 60

When assessing the adequacy of AI change management controls, which of the following is the MOST important control to verify?

A The organization tracks AI project costs accurately B AI developers have unlimited authority to modify production models C All changes to AI models in production are subject to a formal change request, impact assessment, testing, and approval process before deployment D Changes are documented only when they affect model accuracy by more than 10%

55 / 60

Question 56 of 60

An auditor is testing the robustness of an AI-based loan decisioning system. Which test would BEST detect whether the model produces discriminatory outcomes based on protected characteristics?

A Disaster recovery testing B Disparate impact analysis comparing approval rates across demographic groups C Performance load testing D Network penetration testing

56 / 60

Question 57 of 60

Which of the following is a KEY limitation of using accuracy as the sole metric for evaluating an AI model's performance in an audit?

A Accuracy is too difficult to calculate B Accuracy is not recognized by any regulatory framework C A model can achieve high overall accuracy while performing poorly for minority subgroups, masking fairness issues D High accuracy always indicates the model is free from bias

57 / 60

Question 58 of 60

Under the NIST AI RMF, the 'Map' function primarily involves which activity?

A Continuously monitoring AI performance B Implementing risk mitigation controls C Categorizing and framing AI risks in the context of specific AI systems and their use cases D Establishing organizational AI governance policies

58 / 60

Question 59 of 60

An organization is assessing whether its AI audit program is mature. Which of the following BEST indicates that AI audit is treated as a continuous process rather than a point-in-time exercise?

A Annual comprehensive AI audits are conducted by external consultants B The AI development team self-certifies compliance quarterly C Automated monitoring dashboards provide ongoing visibility into AI control effectiveness, with issues flagged for immediate remediation D AI systems are audited only when regulators require it

59 / 60

Question 60 of 60

An auditor concludes that an organization's AI governance framework is inadequate. When reporting this finding, what should the auditor prioritize?

A Recommending outsourcing all AI governance to a third party B Communicating the specific control deficiencies, associated risks and potential impacts, and actionable recommendations proportionate to the risk level C Publishing the findings on public channels to create urgency D Recommending the immediate shutdown of all AI systems

60 / 60