ISACA AAIA 시험

Question No : 1

An organization is adopting AI for its procurement and inventory teams, raising concern from stakeholders that they will lose their jobs due to AI.
Which of the following is the BEST way for the IS auditor to assess whether the potential negative impacts were minimized?

• A.Review human-centered design practices to determine how they were considered.
• B.Review the AI roadmap for short-term and long-term milestones.
• C.Review how the project management team collected feedback in engagement activities.
• D.Review the current state assessment of how AI may impact the organization.

답을 확인하기

정답:
Explanation:
Human-centered design (HCD) focuses on integrating stakeholder needs, ethical implications, and social impact into AI system development. The AAIA™ Study Guide emphasizes the role of HCD in minimizing negative workforce impacts and ensuring inclusive design.
“Auditors should review whether the AI system design process included human-centered practices― particularly for applications affecting jobs or critical human roles. HCD ensures responsible adoption.”
While feedback collection (C) and impact assessments (D) provide useful context, A directly addresses ethical impact mitigation at the design level.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “Ethical and Legal
Considerations in AI,” Subsection: “Human-Centered AI and Workforce Impacts”

Question No : 2

An IS auditor is auditing a financial system in which a generative AI tool is used to identify trends in batches of 4,000 rows, while the generative AI tool has a limit of 3,000 tokens.
Which of the following is the GREATEST concern?

• A.The AI will process only a portion of the data set.
• B.The AI will prioritize high-value entries.
• C.The AI will reject the data set and not analyze the data.
• D.The AI output will be biased toward the first 3,000 tokens.

답을 확인하기

정답:
Explanation:
Generative AI tools such as large language models often have token limitations that restrict how much input they can process in a single prompt. According to the AAIA™ Study Guide, when input exceeds token limits, the model processes only the initial portion―leading to biased outputs based on early entries.
“Token limits in generative AI systems may lead to partial input processing, skewing model outputs toward the beginning of the data and introducing interpretive bias. Auditors must assess whether output reflects the full dataset.”
Options A and C describe side effects, but D identifies the most significant risk―output distortion due to truncated input.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Operations and Performance,” Subsection: “Limitations of Generative AI Models”

Question No : 3

An organization's system development process has been enhanced with AI.
Which of the following features presents the GREATEST risk?

• A.The AI allocates resources for new system development projects.
• B.Non-technical users are validating AI results.
• C.The AI personalizes applications for the user.
• D.All codes are generated by AI without human oversight.

답을 확인하기

정답:
Explanation:
Allowing AI to autonomously generate code without human review introduces significant risks, including security vulnerabilities, logic errors, and noncompliance with organizational development standards. The AAIA™ Study Guide strongly advocates for human-in-the-loop oversight, particularly in automated development contexts.
“AI-assisted development must include manual code reviews to ensure functionality, compliance, and security. Autonomous code generation without validation increases the risk of introducing undetected flaws.”
While A, B, and C involve operational risks or inefficiencies, only D constitutes a direct breach of secure development life cycle principles.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Fundamentals and Technologies,” Subsection: “AI in Software Development and Associated Risks”

Question No : 4

Which of the following is the PRIMARY objective of AI governance?

• A.Implementing compliance and ethics controls for AI initiatives
• B.Defining clear roles and responsibilities for AI development, use, and oversight
• C.Ensuring controls over AI are designed well and operate effectively
• D.Promoting a positive return on investment (ROI) from AI projects

답을 확인하기

정답:
Explanation:
The AAIA™ Study Guide defines the primary objective of AI governance as establishing structure and accountability for AI initiatives. This includes clearly assigning responsibilities across development, deployment, risk management, and auditing roles to ensure that AI is used responsibly and transparently.
“AI governance establishes the policies, roles, and oversight structures that guide the ethical and
secure deployment of AI. Clear accountability helps prevent unauthorized use and ensures strategic alignment.”
Options A and C are essential components of governance but are not its core definition.
Option D is a business outcome, not a governance goal. Thus, B is the most comprehensive and accurate objective.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Governance and Risk Management,” Subsection: “Governance Objectives and Structures”

Question No : 5

For a sales promotion, an AI system sorts customer attributes into several categories by analyzing transaction history.
Verifying which of the following would BEST validate the effectiveness of this process?

• A.Stress tests are regularly conducted to maintain consistent AI performance.
• B.The applied methodology adequately reflects business objectives.
• C.Sensitive attributes are converted to other data types prior to input.
• D.Sampling of AI output is conducted to identify unusual decisions.

답을 확인하기

정답:
Explanation:
The effectiveness of an AI-driven business process―such as categorizing customers for promotional campaigns―depends on how well it supports defined business objectives. The AAIA™ Study Guide recommends validating that AI methodology aligns with intended outcomes as part of performance auditing.
“Effectiveness is best measured by assessing whether the AI logic contributes meaningfully to business goals. Output alignment with organizational KPIs or campaign strategies provides clear evidence of functional success.”
Options A and D support operational resilience and quality assurance.
Option C is a privacy technique, not directly tied to effectiveness validation. Thus, B is correct.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI in Audit Processes,” Subsection: “Evaluating AI Alignment with Business Objectives”

Question No : 6

A digital bank utilizes an AI system to generate credit scores.
Which of the following would BEST mitigate the risk of sudden and unexplained changes in a borrower’s credit score?

• A.Ensuring the system is periodically reviewed and calibrated by human experts to maintain stability in predictions
• B.Using only data from the last six months to one year to avoid outdated information affecting the credit score
• C.Allowing the AI to operate fully autonomously to prevent processing delays
• D.Obtaining and validating the credit scores from third-party agencies to cross-check AI-generated results

답을 확인하기

정답:
Explanation:
Sudden and unexplained changes in AI-generated credit scores may result from data drift, model overfitting, or lack of recalibration. According to the AAIA™ Study Guide, regular expert review and calibration help maintain model reliability and transparency, particularly in high-stakes decisions like credit scoring.
“Ongoing human oversight ensures that predictive models remain stable and justifiable. In high-impact environments, such as banking, experts must review and recalibrate AI systems to prevent opaque or unexpected behavior.”
Option B may cause the exclusion of relevant long-term patterns.
C promotes risk by removing oversight.
D is a validation strategy, not a stability control. Therefore, A is the best option.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Operations and Performance,” Subsection: “Model Monitoring and Recalibration Strategies”

Question No : 7

Which of the following is the MOST important course of action for an organization prior to allowing end users to utilize an AI tool?

• A.Develop an AI policy with guidelines on appropriate use.
• B.Determine the impact to the disaster recovery plan (DRP).
• C.Implement baseline performance metrics.
• D.Ensure a cybersecurity insurance clause is in place to include the use of A

답을 확인하기

정답:
Explanation:
An AI usage policy sets the foundation for safe, ethical, and effective AI deployment. According to the AAIA™ Study Guide, having an AI policy in place ensures that users understand acceptable behaviors, limitations, and responsibilities when interacting with AI tools.
“AI acceptable use policies promote governance by clearly outlining the dos and don’ts of AI interaction, preventing misuse and aligning user activity with organizational values and compliance standards.”
Other actions (B, C, D) are important in operations and risk management but should follow the establishment of governance protocols through a usage policy. Hence, A is the highest-priority prerequisite.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Governance and Risk Management,” Subsection: “Policy Frameworks for End-User AI Interaction”

Question No : 8

Which of the following is the PRIMARY reason IS auditors must be aware that generative AI may return different investment recommendations from the same set of data?

• A.Limitations can arise in the quantification of risk profiles.
• B.Neural node access varies each time the process is executed.
• C.Computational logic is based on probabilities.
• D.Servers are reconfigured periodically.

답을 확인하기

정답:
Explanation:
Generative AI systems, particularly those based on transformer models, produce outputs using probabilistic computations. As a result, even when given the same input data, these models may generate different outputs depending on sampling strategies (e.g., temperature, top-k sampling).
“Generative AI operates probabilistically, meaning that outputs can vary with each run based on stochastic sampling techniques. This variability is expected and must be accounted for in risk-sensitive environments like finance.”
While A and B refer to limitations and architecture, and D is unrelated to logic, C directly explains the output inconsistency.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Fundamentals and Technologies,” Subsection: “Stochastic Behavior in Generative Models”

Question No : 9

Which of the following strategies used by modelers to enhance data accuracy has the GREATEST risk of bias and information loss?

• A.Filling blank attributes in records with the mean, median, or mode within a grouping
• B.Identifying and deleting duplicate entries in the data set
• C.Separating multiple data attributes within one field into individual attribute columns
• D.Placing numerical data into bins or buckets for a manageable quantity of correlations and result analyses

답을 확인하기

정답:
Explanation:
Imputing missing values using the mean, median, or mode is a common technique to fill blanks in datasets. However, according to the AAIA™ Study Guide, this method introduces a significant risk of information distortion, especially if the data is not normally distributed or if imputed values disproportionately impact underrepresented groups.
“Simple imputation can reduce data variability and reinforce existing biases. It may also misrepresent the true distribution of the data, leading to skewed model outputs.”
Other options (B, C, D) may involve transformations, but they do not inherently cause as much bias or data misrepresentation as A.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Fundamentals and Technologies,” Subsection: “Data Imputation and Transformation Risks”

Question No : 10

An organization deploys an AI recruitment platform to screen job applicants. The IS auditor identifies that the platform's decisions may be influenced by model bias.
Which of the following risk mitigation strategies is BEST for the auditor to recommend?

• A.Implement a process to periodically test the AI system for biases and adjust parameters as needed.
• B.Suspend the use of the AI system until the training data can be verified for fairness and compliance.
• C.Retrain the AI model using an external data set certified for inclusivity and fairness.
• D.Require manual reviews of all AI-generated recruitment decisions before hiring is finalized.

답을 확인하기

정답:
Explanation:
Periodic testing and monitoring for bias is a sustainable, proactive strategy aligned with best practices outlined in the AAIA™ Study Guide. This approach ensures that the AI system remains compliant over time, even as data and hiring conditions change.
“Ongoing fairness assessments help detect emerging biases and ensure that the AI model maintains equitable decision-making standards. Periodic testing also allows organizations to take corrective action before regulatory or reputational damage occurs.”
Suspending the system (B) or relying solely on external datasets (C) are temporary or limited in scope. Manual reviews (D) are effective but do not solve the root issue. Therefore, A provides a comprehensive, audit-aligned solution.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “Ethical and Legal Considerations in AI,” Subsection: “Bias Mitigation and Monitoring”

Question No : 11

Which of the following is the MOST important consideration when auditing the data used for training an AI model?

• A.Timeliness
• B.Predictability
• C.Representativeness
• D.Understandability

답을 확인하기

정답:
Explanation:
Representativeness ensures that the training data reflects the full spectrum of conditions the AI model will encounter in production. According to the AAIA™ Study Guide, models trained on non-representative data are prone to bias, poor generalization, and underperformance in real-world applications.
“Ensuring that training data accurately represents the operational environment is critical for model reliability, fairness, and scalability. Without it, the model may perform well in testing but fail in actual usage.”
Timeliness (A) and understandability (D) support performance and usability, but they are secondary to ensuring data coverage. Predictability (B) may not be desirable in dynamic modeling.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Fundamentals and Technologies,” Subsection: “Training Data Characteristics and Model Validity”

Question No : 12

An IS auditor is performing an inventory audit for a manufacturing organization.
Which of the following would BEST enable the auditor to identify types of products without assistance from organizational staff?

• A.Natural language processing
• B.Speech modeling
• C.Robotic process automation (RPA)
• D.Computer vision

답을 확인하기

정답:
Explanation:
Computer vision uses machine learning techniques to identify and classify visual data such as images or videos. In inventory audits, it can be used to recognize product types, scan barcodes, or evaluate storage conditions without human assistance.
“Computer vision is particularly effective in automated environments like manufacturing, where visual data from cameras or sensors can be processed to verify product identification and placement.”
NLP (A) and speech modeling (B) are not suitable for image-based tasks. RPA (C) automates tasks but cannot visually interpret products. Therefore, D is the correct tool.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI in Audit Processes,” Subsection: “AI Tools in Operational and Inventory Audits”

Question No : 13

To confirm the fairness of AI model decisions, the BEST way to collect reliable evidence during an AI audit is by:

• A.Analyzing system metadata.
• B.Testing the model with a curated sample data set.
• C.Interviewing developers.
• D.Observing the system’s interactions with end users.

답을 확인하기

정답:
Explanation:
Testing the AI model with a curated and representative sample data set allows auditors to directly evaluate the fairness and bias of model decisions. This approach is aligned with best practices outlined in the AAIA™ Study Guide, as it enables quantifiable analysis of model behavior across different demographics or input scenarios.
“To assess fairness, auditors should use controlled data sets to evaluate whether model outputs disproportionately impact specific groups. This empirical testing provides stronger evidence than qualitative methods.”
While metadata (A) and developer interviews (C) can supplement findings, only B provides objective, reproducible evidence.
Option D may reflect real-world interactions but lacks the control and consistency required in an audit.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “Ethical and Legal Considerations in AI,” Subsection: “Fairness and Bias Testing in AI Systems”

Question No : 14

Which of the following is the PRIMARY benefit of implementing a robust data governance framework specific to AI solutions in an organization?

• A.It focuses on enhancing the accuracy and reliability of AI model predictions.
• B.It accelerates AI implementation timelines by fully automating data preparation processes.
• C.It fosters adherence to industry regulations while minimizing the risk of data breaches and privacy violations.
• D.It reduces the need for human oversight, ensuring seamless and autonomous data governance.

답을 확인하기

정답:
Explanation:
According to the AAIA™ Study Guide, a robust data governance framework ensures that AI systems are compliant with data protection laws, ethical standards, and internal policies. It provides controls over data quality, access, retention, and processing, all of which are essential to avoid breaches and maintain trust.
“A strong data governance structure is foundational for regulatory compliance and ethical AI practices. It ensures that data privacy, integrity, and usage rights are maintained across the AI lifecycle.”
While option A is an outcome of good data governance, and automation (B) may improve efficiency, the most fundamental benefit is risk reduction and compliance (C).
Option D reflects a misunderstanding of governance which requires human oversight.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Governance and Risk
Management,” Subsection: “Data Governance Frameworks and Compliance”

Question No : 15

During a pre-implementation risk assessment, an AI model is determined to present a significant risk of bias and potential harm in excess of the organization’s risk tolerance.
Which of the following is the MOST appropriate response?

• A.Postpone deployment until the risk can be safely managed.
• B.Enhance the data that the model is trained on.
• C.Obtain board approval for an exception.
• D.Revisit the risk tolerance to ensure it is appropriate.

답을 확인하기

정답:
Explanation:
The AAIA™ Study Guide advises that if an AI model presents a risk that exceeds the organization's predefined risk tolerance―especially in cases of ethical harm or bias―deployment should be delayed until proper safeguards are in place. This approach prevents legal exposure and preserves stakeholder trust.
“When AI risks exceed acceptable thresholds, organizations must suspend implementation until corrective action reduces the risk to within tolerance levels. Proceeding without mitigation violates sound governance principles.”
While improving data (B) may help, it does not address the immediate governance concern. Risk tolerance (D) should not be adjusted to fit flawed systems. Thus, A is the correct course.
Reference: ISACA Advanced in AI Audit™ (AAIA™) Study Guide, Section: “AI Governance and Risk Management,” Subsection: “Risk Evaluation and Implementation Decision-Making”