Question 1

Which of the following controls would MOST effectively mitigate worst-case service disruption scenarios affecting an AI-based application system?

Accepted Answer

D

Explanation: A Disaster Recovery Plan (DRP) is the foundational control for mitigating the impact of significant service disruptions. For an AI-based system, which has unique failure modes like model poisoning, catastrophic forgetting, or adversarial attacks, a generic DRP is insufficient. Including a range of specific AI disruption scenarios within the DRP ensures that the organization has pre-planned, tested, and resourced procedures to recover from worst-case events. This proactive and comprehensive planning is the most effective strategy for ensuring timely and orderly restoration of services, thereby minimizing business impact. It is more encompassing than reactive measures or testing activities alone.

Question 2

Which of the following is the GREATEST risk associated with using AI in audit planning?

Accepted Answer

C

Explanation: The greatest risk associated with using AI in audit planning is incomplete data. AI models are fundamentally data-driven; their ability to identify risks, patterns, and anomalies for audit planning depends entirely on the quality and completeness of the input data. If the data used to train or run the AI is incomplete, biased, or inaccurate, the resulting audit plan will be inherently flawed. This "Garbage In, Garbage Out" (GIGO) principle can lead auditors to focus on the wrong areas or, more critically, to miss significant risks, thereby undermining the entire audit's effectiveness and reliability.

Question 3

To confirm the fairness of AI model decisions, the BEST way to collect reliable evidence during an AI audit is by:

Accepted Answer

B

Explanation: The most reliable and objective method for an auditor to confirm the fairness of an AI model's decisions is by testing it with a curated sample dataset. This approach, a form of substantive testing, allows the auditor to use a controlled, representative, and specifically designed dataset to systematically evaluate the model's outputs for biases against protected attributes or subgroups. The results are quantifiable using established fairness metrics, providing direct, empirical, and repeatable evidence of the model's behavior. This is superior to indirect, subjective, or uncontrolled methods.

Question 4

Which of the following will provide the BEST evidence to support the alignment of an AI model with an organization's business objectives?

Accepted Answer

C

Explanation: An AI model inventory is a centralized repository that catalogs all AI models within an organization. A comprehensive inventory documents critical information for each model, including its intended purpose, business owner, scope, and the specific business problem it addresses. This documentation provides the most direct and holistic evidence for an auditor or reviewer to assess how individual AI systems and the overall AI portfolio align with and support the organization's strategic business objectives. It serves as the foundational record linking technical assets to business value.

Question 5

Which of the following is the PRIMARY reason IS auditors must be aware that generative AI may return different investment recommendations from the same set of data?

Accepted Answer

C

Explanation: The core computational logic of most generative AI models is probabilistic, not deterministic. When given a prompt or a set of data, the model calculates a probability distribution over a vast range of possible next words or tokens. The final output is then generated by sampling from this distribution. Techniques like temperature scaling and nucleus sampling are used to control the randomness of this sampling process. Because the output is a result of probabilistic sampling, running the same query multiple times can produce different, yet plausible, results. An IS auditor must understand this inherent stochasticity to evaluate the model's consistency, reliability, and the associated risks for high-stakes applications like financial advice.

Question 6

When utilizing a machine learning (ML) model to predict whether a wind turbine electricity generator will fail, which model evaluation metric should be the PRIMARY focus?

Accepted Answer

D

Explanation: In a predictive maintenance scenario like forecasting wind turbine failure, the cost of a False Negative (failing to predict an actual failure) is significantly higher than the cost of a False Positive (predicting a failure that does not occur). A missed failure could lead to catastrophic damage, extended downtime, and safety hazards. Recall, also known as Sensitivity or the True Positive Rate, measures the model's ability to identify all actual positive cases (TP / (TP + FN)). Therefore, maximizing recall is the primary objective to ensure as few actual failures as possible are missed, even if it means accepting more false alarms.

Question 7

Which of the following is the BEST way to support the development and design of high-risk AI systems?

Accepted Answer

C

Explanation: The development and design of high-risk AI systems are fundamentally dependent on the data used for training, validation, and testing. Ensuring the availability of trustworthy data sets—which are relevant, representative, accurate, and free from inappropriate bias—is the most critical prerequisite. This foundational element directly impacts the model's performance, reliability, fairness, and safety. Without high-quality, trustworthy data, it is impossible to develop a high-risk AI system that is robust and aligned with its intended purpose, making this the most crucial support mechanism during the design phase.

Question 8

The BEST way to prevent sensitive information disclosure by large language model (LLM) chatbots is through:

Accepted Answer

D

Explanation: Data masking is the most effective preventative control because it addresses the root cause of potential information disclosure. This technique replaces sensitive data elements (e.g., names, social security numbers, credit card details) with realistic but non-sensitive, structurally equivalent placeholders before the data is used to train or fine-tune the LLM. By masking the data at the source, the model never learns or memorizes the actual sensitive information, making it impossible for it to disclose it later. This preserves the data's format and utility for training while eliminating the privacy risk.

Question 9

Which of the following correctly summarizes the conclusions of the model card excerpt provided?
Model Card – Electrical Grid Predictive Maintenance Model
Model Information:
Description: AI model designed to predict maintenance needs for electrical grid components, reduce
unplanned downtime, and improve grid reliability.
Inputs: Real-time sensor data, historical maintenance records, and operational logs.
Outputs: Maintenance needs predictions for 60 & 90 days.Evaluation:
Approach: Cross-validation and validation of accuracy, precision, and recall.
Results: Accuracy 72%; Precision 60%; Recall 95%; F1 76%

Accepted Answer

D

Explanation: The F1 score is the harmonic mean of precision and recall, designed to provide a single, balanced measure of a model's performance, especially when there is an uneven class distribution. An F1 score of 76% indicates the model's overall effectiveness in correctly identifying positive cases (i.e., "true maintenance needs") while accounting for both false positives (precision) and false negatives (recall). It is the most accurate summary of the model's predictive capability among the given options.

Question 10

Which of the following is the MOST important reason to perform regular ethical reviews of AI systems?

Accepted Answer

C

Explanation: The primary and most fundamental purpose of an ethical review for an AI system is to assess its impact on people and society. This is most precisely captured by ensuring the system's operations align with the preservation of individual rights. Core ethical principles in AI, such as fairness, non-discrimination, privacy, and autonomy, are directly rooted in fundamental human and individual rights. While other aspects like performance and organizational alignment are important, they are often secondary to or derived from this core ethical mandate to "do no harm" and protect human dignity and rights.

Question 11

Which of the following strategies used by modelers to enhance data accuracy has the GREATEST risk of bias and information loss?

Accepted Answer

A

Explanation: Imputation by filling missing values with a central tendency statistic (mean, median, or mode) introduces significant bias. This method artificially reduces the variance of the dataset and can distort the covariance and correlation between variables, as it assumes the missing data follows the same distribution as the observed data. This often leads to underestimation of standard errors and biased model parameters. Furthermore, it causes information loss by discarding the potentially meaningful pattern of "missingness" itself, replacing it with a single, unrepresentative value. While other methods have drawbacks, this naive imputation carries the greatest combined risk of fundamentally skewing the data's statistical properties.

Question 12

In the context of an AI implementation, which of the following actions is MOST critical for an organization's change management program?

Accepted Answer

C

Explanation: A comprehensive, AI-specific risk assessment is the most critical foundational action within a change management program for AI implementation. AI systems introduce unique and complex risks, such as algorithmic bias, model drift, data poisoning, and lack of explainability, which differ significantly from traditional IT systems. Conducting a risk assessment allows the organization to identify, analyze, and evaluate these potential negative impacts before a change is deployed. This proactive step informs all other change management activities, including the level of scrutiny required, testing protocols, stakeholder communication, and the necessary governance approvals, ensuring the change is managed effectively and responsibly.

Question 13

Which of the following testing techniques would BEST validate whether an organization's data governance program effectively ensures data quality and integrity for AI model training and deployment?

Accepted Answer

D

Explanation: Assessing data lineage is the most direct and effective technique to validate a data governance program's control over data quality and integrity for AI. Data lineage provides a verifiable audit trail of data from its origin through all transformations and processing steps until it is used for model training and deployment. By examining this trail, an auditor can confirm the provenance of the data, identify any unauthorized or improper modifications, and ensure that the data adheres to established quality standards. This directly tests the operational effectiveness of the governance framework in maintaining trustworthy data for AI systems.

Question 14

Which of the following is an IS auditor's MOST important course of action when determining whether source data should be entered into approved generative AI tools to assist with an audit?

Accepted Answer

D

Explanation: The fundamental principle of any audit is the reliance on sufficient, reliable, and relevant evidence. Before an IS auditor considers using any analytical tool, including generative AI, their primary and most critical responsibility is to ascertain the reliability of the source data itself. This aligns with the "Garbage In, Garbage Out" (GIGO) principle. If the input data is unreliable, any output generated by the AI tool will be inherently flawed, rendering the audit conclusions invalid. Therefore, validating the reliability of the information is the foundational prerequisite.

Question 15

Which use case for an AI model to be used by a food delivery service would pose ethical risk to the organization?

Accepted Answer

B

Explanation: This use case poses a significant ethical risk due to "algorithmic management," where an AI makes high-stakes decisions about human employment. Basing termination solely on a metric like "delivered orders per total hours worked" is inherently problematic. The model is likely to be biased, as it cannot account for contextual factors beyond a driver's control, such as restaurant delays, traffic conditions, or order distance. This can lead to unfair and discriminatory outcomes, directly impacting individuals' livelihoods without transparency or a clear process for appeal. Such automated decisions raise profound ethical questions about fairness, accountability, and the dehumanization of labor.

Free Isaca AAIA Actual Exam Questions