Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free AAIA Practice Questions

Pass your ISACA Advanced in AI Audit (AAIA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
ISACA does not publicly report AAIA pass-rate statistics Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which monitoring metric BEST detects covariate (input) drift in a deployed model?

A
B
C
D
to track
Same family resources

Explore More ISACA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CISA

Practice QuestionsStudy Guide
2 blogs

CISM

Practice QuestionsStudy Guide
2 blogs

CRISC Certified in Risk and Information Systems Control

Practice Questions
1 blog

ISACA COBIT 2019 Foundation

Practice Questions
1 blog

ISACA AAIR Advanced in AI Risk

Practice Questions

ISACA AAISM Advanced in AI Security Management

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCISA Exam Guide 2026: FREE ISACA Study Plan + Practice28 min readArticleCISM Exam Guide 2026: FREE ISACA Study Plan + Practice30 min readArticleCOBIT 2019 Foundation 2026: Governance-First Prep6 min readArticleCRISC Exam Guide 2026: FREE ISACA Study Plan + Practice30 min read
2026 Statistics

Key Facts: AAIA Exam

90

Exam Questions

Multiple-choice format

2.5 hr

Time Limit

PSI delivery

450/800

Passing Score

Scaled scoring

$575

Member Fee

Non-member $760 + $50 application

May 2025

Launched

ISACA flagship AI audit credential

PSI

Test Delivery

Online proctoring or test center

The ISACA AAIA (Advanced in AI Audit) launched in May 2025 as ISACA's flagship AI audit credential. The exam is 90 multiple-choice questions in 2.5 hours, with a 450/800 scaled passing score, $575 member / $760 non-member fee plus a one-time $50 application processing fee, delivered through PSI. To certify, candidates must hold an active qualifying credential — CISA, CIA, US CPA, ACCA/FCCA, Canadian CPA, Australian CPA/FCPA, or Japanese CPA with IT audit/advisory focus. Content is split across three weighted domains: AI Governance and Risk, AI Operations, and AI Auditing Tools and Techniques.

Sample AAIA Practice Questions

Try these sample questions to test your AAIA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1An organization is establishing board oversight of AI. Which artifact provides the strongest evidence that the board is exercising effective challenge over AI strategy?
A.An IT steering committee charter that mentions AI as a future topic
B.Documented board minutes recording risk-based discussion of AI use cases, model performance, and ethics escalations with action items
C.A signed AI acceptable use policy posted on the intranet
D.An annual cybersecurity tabletop exercise that includes generative AI scenarios
Explanation: Effective board oversight is evidenced by documented, periodic, risk-based discussion at the board (or designated committee) of AI strategy, material model performance issues, ethics or fairness escalations, and resulting decisions. ISACA's AI governance guidance and COBIT 2019 EDM01 expect minutes that show active challenge, not passive briefing.
2Which control is the MOST important foundation for an AI governance program?
A.A complete and current inventory of AI systems and use cases with risk classification
B.GPU capacity planning across cloud regions
C.A purchased third-party LLM evaluation harness
D.A red-team exercise of the flagship chatbot
Explanation: An accurate, complete AI/model inventory with risk tiering is the cornerstone control: governance, risk register, regulatory mapping (EU AI Act, NIST AI RMF), and audit scoping all depend on knowing what exists. Without it, every downstream control is unreliable.
3Under the EU AI Act, which of the following is classified as a high-risk AI system?
A.An email spam filter used internally
B.An AI system used to evaluate creditworthiness of natural persons
C.A recommender system on a movie streaming service
D.An internal meeting transcription tool
Explanation: The EU AI Act lists creditworthiness scoring of natural persons among Annex III high-risk areas. High-risk systems trigger conformity assessment, risk management, data governance, logging, transparency, human oversight, accuracy/robustness/cybersecurity, and post-market monitoring obligations.
4NYC Local Law 144 requires an annual independent bias audit for which type of AI system?
A.Any chatbot used by city employees
B.Automated employment decision tools (AEDTs) used to substantially assist hiring or promotion in NYC
C.Any LLM trained on NYC resident data
D.Facial-recognition systems used in retail stores
Explanation: NYC Local Law 144 (effective enforcement July 5, 2023) requires employers and employment agencies to commission an independent bias audit of an Automated Employment Decision Tool (AEDT) within one year before use, publish a summary of results, and provide candidate notice. It applies to hiring or promotion decisions for NYC-based positions.
5An auditor is testing an AEDT bias audit performed under NYC Local Law 144. Which calculation MUST be present?
A.Selection rate and impact ratio for each Title VII category and intersectional sex/race-ethnicity categories
B.ROC AUC for every model version released in the year
C.Differential privacy epsilon used in training
D.Mean opinion score from human reviewers
Explanation: Local Law 144 mandates that the bias audit calculate the selection rate and the impact ratio for each Title VII-protected sex and race/ethnicity category, plus intersectional categories. The summary must be publicly posted along with the date of the most recent audit and distribution of categories.
6The Illinois Artificial Intelligence Video Interview Act requires which control before an employer uses AI to analyze applicant video interviews?
A.Notify the applicant that AI may be used, explain how it works, and obtain consent
B.File the model with the Illinois Department of Labor for approval
C.Use only models certified by NIST
D.Limit the interview to 15 minutes
Explanation: The Illinois AI Video Interview Act (effective 2020, expanded 2022) requires employers to (a) notify applicants that AI may be used to evaluate their video interview, (b) explain how the AI works and what general characteristics it uses, and (c) obtain the applicant's consent. It also imposes data deletion duties on request.
7Colorado SB24-205 (the Colorado AI Act, effective February 1, 2026) imposes which duty on developers of high-risk AI systems?
A.Reasonable care to avoid algorithmic discrimination, including disclosures to deployers and impact assessment information
B.Mandatory open-sourcing of model weights
C.Liability insurance of $10 million per system
D.Registration of every model with the Colorado Secretary of State
Explanation: Colorado SB24-205 requires developers and deployers of high-risk AI systems to use reasonable care to protect consumers from algorithmic discrimination, give deployers documentation needed for impact assessments, disclose intended uses and known harms, and notify the AG of discovered discrimination. There is a rebuttable presumption of reasonable care if the duties are met.
8GDPR Article 22 grants data subjects which right with respect to automated decisions?
A.The right to receive a refund within 30 days
B.The right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects, with safeguards including human intervention
C.The right to demand model weights
D.The right to opt out of any AI use
Explanation: GDPR Article 22(1) gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significantly affects them. Where exceptions apply, controllers must implement safeguards including the right to obtain human intervention, to express their point of view, and to contest the decision.
9A bank uses a model to deny credit applications. To comply with US Federal Reserve SR 11-7, which control is essential?
A.Independent model validation including effective challenge, with documentation of conceptual soundness, ongoing monitoring, and outcomes analysis
B.Open-sourcing the model weights to regulators
C.Replacing the model with rule-based logic every two years
D.Encrypting model weights with FIPS 140-3 modules
Explanation: SR 11-7 (Supervisory Guidance on Model Risk Management) requires independent model validation that provides effective challenge across three components: conceptual soundness, ongoing monitoring, and outcomes analysis. The validator must be independent of model development and have authority to challenge.
10An AI tool diagnoses skin lesions and recommends biopsy. FDA regulates this as Software as a Medical Device (SaMD). Which control is MOST critical for ongoing assurance?
A.A Predetermined Change Control Plan (PCCP) describing pre-specified modifications and modification protocol
B.Use of a permissive open-source license
C.Ensuring the cloud region is in the United States
D.Encrypting training data with AES-128
Explanation: FDA's 2024 final guidance on Predetermined Change Control Plans for AI/ML SaMD lets manufacturers pre-specify expected model modifications and the methods to implement them safely without re-submission per change. A PCCP is the central control for governing post-market AI/ML changes.

About the AAIA Exam

The ISACA Advanced in AI Audit (AAIA) is an advanced credential for IT auditors, internal auditors, and CPAs validating expertise to audit AI systems across governance, operations, and audit techniques. Coverage includes AI governance and risk (board oversight, model inventory, EU AI Act, NIST AI RMF, ISO/IEC 42001, sector regulations such as FDA SaMD and SR 11-7), AI operations (lifecycle controls, drift and fairness monitoring, RAG/vector store security, LLMOps), and AI auditing tools and techniques (sampling, fairness testing under the four-fifths rule, robustness and adversarial testing using MITRE ATLAS, explainability via SHAP/LIME, evidence collection, and audit analytics).

Assessment

90 multiple-choice questions in 2.5 hours, distributed across three weighted domains: AI Governance and Risk, AI Operations, and AI Auditing Tools and Techniques

Time Limit

2.5 hours

Passing Score

450/800

Exam Fee

$575 (members) / $760 (non-members) + $50 application fee (ISACA / PSI)

AAIA Exam Content Outline

Domain 1

AI Governance and Risk

Board oversight of AI, AI policies and ethics committees, model inventory completeness, AI use case approval workflow, EU AI Act conformity, NYC Local Law 144 hiring AI bias audit, Illinois AI Video Interview Act, Colorado AI Act SB24-205, GDPR Article 22, FDA SaMD, SR 11-7 model risk management, stakeholder considerations, AI risk register, and assurance frameworks (NIST AI RMF, ISO/IEC 42001, IIA AI Auditing Framework, ICAEW AI Assurance, COBIT 2019 + AI extension, COSO ERM AI).

Domain 2

AI Operations

AI lifecycle controls, training data governance, model versioning, change control, retirement, operational resilience (RTO/RPO, fallback, degraded mode, MTTR), AI deployment monitoring (drift, accuracy, fairness drift, infrastructure, cost), GenAI/LLM operations including RAG architecture, vector DB security, fine-tuning governance, and LLMOps cost and reliability controls.

Domain 3

AI Auditing Tools and Techniques

AI audit planning, AI universe, audit scope, control testing, sampling for AI systems (ISO 19011, IIA 2240), data quality and model performance testing (accuracy/precision/recall/F1/AUC/Brier), fairness testing (four-fifths rule, demographic parity, equalized odds, equal opportunity), robustness/adversarial testing (FGSM/PGD, MITRE ATLAS), explainability (SHAP/LIME), evidence collection (model cards, datasheets, lineage, decision logs), audit analytics (Python, R, SAS, IDEA, ACL/HighBond), AI audit reports, third-party AI vendor audits (SOC 2 + AI controls, ISAE 3000), and continuous auditing.

How to Pass the AAIA Exam

What You Need to Know

  • Passing score: 450/800
  • Assessment: 90 multiple-choice questions in 2.5 hours, distributed across three weighted domains: AI Governance and Risk, AI Operations, and AI Auditing Tools and Techniques
  • Time limit: 2.5 hours
  • Exam fee: $575 (members) / $760 (non-members) + $50 application fee

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

AAIA Study Tips from Top Performers

1Memorize the NIST AI RMF four core functions — GOVERN (cross-cutting), MAP, MEASURE, MANAGE — and key categories under each; AAIA expects fluency with this structure
2Drill the EU AI Act risk tiers (prohibited, high-risk Annex III, limited, minimal) and high-risk obligations (Annex IV technical documentation, Article 9 risk management, Article 12 logging, Article 14 human oversight, Article 15 accuracy/robustness/cybersecurity)
3Master fairness terminology: selection rate, impact ratio, four-fifths rule (EEOC), demographic parity, equalized odds, equal opportunity — and know when each applies
4Build muscle memory for evidence-collection patterns: model cards, datasheets for datasets, decision logs, training-data lineage hashes, model registry entries, and SOC 2 + ISO/IEC 42001 third-party reports
5Practice mapping LLM/GenAI risks to OWASP LLM Top 10 (LLM01 prompt injection, LLM03 training data poisoning, LLM06 sensitive information disclosure, LLM10 unbounded consumption) and to MITRE ATLAS adversary techniques
6Be ready to choose between similar audit standards in scenarios: ISO 19011 for management-system audits, IIA 2240 for resource allocation, AICPA AU-C 500 / IIA 2310 for evidence sufficiency

Frequently Asked Questions

What is the ISACA AAIA exam?

The ISACA Advanced in AI Audit (AAIA) is an advanced certification launched by ISACA in May 2025. It validates an auditor's ability to audit AI systems across governance, operations, and tooling. The exam is 90 multiple-choice questions delivered through PSI in 2.5 hours, with a 450/800 scaled passing score. The credential targets experienced IT auditors, internal auditors, and CPAs who already hold a qualifying baseline certification.

Who is eligible to take the AAIA exam?

Candidates may sit for the AAIA exam without holding a prerequisite, but to be awarded the certification you must hold an active qualifying credential: ISACA CISA, IIA CIA, US CPA, ACCA/FCCA, Canadian CPA, Australian CPA/FCPA, or Japanese CPA with IT audit or advisory focus. The certification path is designed to add advanced AI-audit skills on top of a recognized audit credential.

What does the AAIA exam cover?

AAIA is built around three weighted domains: AI Governance and Risk (board oversight, AI inventory, EU AI Act, NYC Local Law 144, Colorado AI Act, GDPR Article 22, FDA SaMD, SR 11-7, NIST AI RMF, ISO/IEC 42001), AI Operations (training data governance, drift and fairness monitoring, RAG and vector store security, LLMOps), and AI Auditing Tools and Techniques (sampling, fairness testing, robustness/MITRE ATLAS, explainability via SHAP/LIME, evidence collection, IDEA/ACL/Python audit analytics).

How much does the AAIA exam cost?

The AAIA exam fee is $575 for ISACA members and $760 for non-members. There is also a one-time application processing fee of approximately $50. Annual maintenance fees apply after certification, and ISACA's continuing professional education (CPE) reporting is required to keep the AAIA active.

How is the AAIA exam scored?

Like other ISACA exams, AAIA uses a scaled score of 200-800, and a scaled score of 450 or higher is required to pass. The 90 multiple-choice questions are weighted by domain, and scaled scoring accounts for differences in form difficulty so candidates are not penalized for receiving a harder form.

What is the best way to prepare for the AAIA?

Start with ISACA's AAIA exam content outline. Study NIST AI RMF (the four functions and the GenAI Profile), ISO/IEC 42001 AIMS, IIA AI Auditing Framework, COBIT 2019, and key regulations (EU AI Act, NYC LL144, Illinois AI Video Interview Act, Colorado SB24-205, GDPR Article 22, FDA SaMD, SR 11-7). Drill fairness metrics (four-fifths, demographic parity, equalized odds), explainability (SHAP/LIME), MITRE ATLAS, and audit analytics tools (Python, IDEA, ACL/HighBond). Use the 100 free practice questions in this bank and review every wrong answer rationale.

Is AAIA worth it in 2026?

AAIA is positioned to become the leading AI-audit specialty credential as EU AI Act, Colorado AI Act, and sector regulators (FDA, banking SR 11-7, NIST) drive demand for credentialed AI auditors. For experienced CISA/CIA/CPA professionals, AAIA opens internal-audit AI assurance, third-party AI assurance (ISAE 3000), and AI risk advisory roles.