Applied AI cert-prep add-on

ISACA Advanced in AI Audit (AAIA) Exam Prep Add-On

Convert AI Governance and Risk into an ISACA AAIA ramp for the AI audit credential.

$197 add-on60h additional studyTarget exam: ISACA Advanced in AI Audit (AAIA)Exam fee: $575

What the add-on ships

++Domain reviews aligned to the official ISACA AAIA exam outline
++Three full-length mock exams matching the ISACA scenario format
++Audit-methodology worked examples applied to AI systems including data, models, evaluation, and operational controls
++Mapping of AAIA exam domains to NIST AI 100-1, NIST AI 600-1, and ISO/IEC 42001
++Direct link to the official ISACA AAIA exam page as the canonical reference

Built on the parent course

++AI Governance and Risk 12-module curriculum covering NIST AI RMF, EU AI Act, ISO/IEC 42001, audit programs
++Risk identification, impact assessment, and control evaluation practice from the parent course

Parent course: ai governance and risk

Best for

++IT auditors moving into AI audit with an active CISA credential
++Internal audit teams scoped to cover AI-system risk under NIST AI 600-1 or EU AI Act conformity
++Risk and compliance practitioners who already hold CISA and want to credential AI-specific audit capability

Practice surface

++Three full-length mock exams in ISACA's scenario format
++Audit-methodology worked examples for AI lifecycle stages
++Targeted weak-area question drilling per AAIA domain weighting

Buy the add-on

$197 on top of the ai governance and risk parent course. Lifetime access to the practice materials, mock exams, and exam-day worksheets.

See the parent course

Exam summary

ISACA Advanced in AI Audit (AAIA) is the working AI-audit credential layered on top of an active ISACA CISA or equivalent audit credential. The exam covers AI governance frameworks (NIST AI RMF, NIST AI 600-1, ISO/IEC 42001), AI risk identification and assessment, AI audit methodology applied across the AI lifecycle, AI ethics and fairness from the audit posture, and compliance with major AI laws. Pass mark is a scaled cut score; exam is 90 minutes of proctored multiple choice.

Domain reviews

AI Governance Frameworks and Standards

The standards an audit engagement evaluates AI systems against.

++NIST AI 100-1 four functions: GOVERN, MAP, MEASURE, MANAGE
++NIST AI 600-1 GenAI Profile twelve risk categories
++ISO/IEC 42001 AI management system, Annex SL alignment
++EU AI Act risk tiers and conformity assessment requirements
++Sector-specific overlays: HIPAA, FCRA, EEOC guidance

Primary sources:

AI Risk Identification and Assessment

How auditors identify, score, and prioritize AI-system risks.

++AI risk register design: inherent risk, residual risk, control effectiveness
++Risk-scoring methodologies: qualitative matrices, quantitative scoring
++AI-specific risks from NIST AI 600-1 taxonomy
++Third-party AI risk: vendor model cards, AI BOMs
++Sampling and population definition for AI control testing

Primary sources:

AI Audit Methodology (Data, Models, Evaluation, Operations)

How the auditor evidences and tests AI controls across the lifecycle.

++Data provenance and quality audit (training data, fine-tuning data, retrieval corpora)
++Model audit: model card review, evaluation methodology, fairness testing evidence
++Operational audit: deployment process, monitoring controls, incident response
++Audit evidence requirements: documentation, sampling, retesting
++Reporting findings: severity classification, management response, remediation timeline

Primary sources:

AI Ethics, Fairness, Bias from Audit Posture

How the auditor evaluates ethics, fairness, and bias controls.

++Fairness criteria: demographic parity, equal opportunity, equalized odds, individual fairness
++Disparate impact analysis: four-fifths rule, statistical significance testing
++Transparency requirements: model cards, system cards, data sheets for datasets
++Human-in-the-loop and human oversight controls
++Ethics committee design and decision documentation

Primary sources:

Compliance with Major AI Laws and Regulations

The legal regimes an audit must reference and test against.

++EU AI Act conformity assessment, post-market monitoring, incident reporting
++US state AI laws: Colorado AI Act, California SB 942 / AB 2013 / AB 1836
++EEOC AI hiring guidance and enforcement history (iTutorGroup, Mobley v. Workday)
++GDPR Article 22 automated decision-making restrictions
++Sector overlays: HIPAA AI guidance, FCRA, NYC Local Law 144

Primary sources:

Practice scenarios (8)

Practice scenarios are scenario-based learning, not exam-question mimicry. Each scenario maps to a specific exam domain and includes a worked explanation plus a primary-source citation. Reproducing actual exam items would violate the cert body's NDA; the format here exercises the same underlying concepts under different surface phrasing.

Preview scenario 1 of 8 · AI Governance Frameworks and Standardsfree preview

An auditor is scoping an AI audit for a high-risk AI system used to triage insurance claims. The auditee follows ISO/IEC 42001. Which evidence artifact best demonstrates that the auditee has met ISO/IEC 42001's planning requirement (clause 6) for AI risks and opportunities?

A. Project Gantt chart for the AI development effort
B. AI risk register with documented impact assessments, opportunities, and treatment plans tied to the management system's policy
C. Vendor quote for the cloud-hosting provider
D. Executive summary slide deck from the last all-hands meeting

Answer: B

Clause 6 of ISO/IEC 42001 covers planning, including AI risks and opportunities. The required evidence is a risk register with documented impact assessments, opportunities, and treatment plans linked to the management-system policy. Gantt charts, vendor quotes, and all-hands slides do not satisfy the clause.

Reference: ISO/IEC 42001:2023 overview

Unlock the rest

7 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $197 one-time, lifetime access.

Exam-day strategy

++Read each question for which NIST function or which clause of ISO/IEC 42001 it is testing. AAIA questions often resolve via the exact taxonomy.
++For EU AI Act questions, identify whether the question is about Provider, Deployer, or User obligations. The right answer often hinges on the role.
++Audit-methodology questions usually have one defensible answer that names the canonical ITAF / NIST guidance. Eliminate options that recommend skipping evidence.
++Watch for distractors that confuse fairness criteria (demographic parity vs equal opportunity). The distinctions are precise and tested repeatedly.
++Pace at roughly 60 seconds per question. 90 minutes is tight if you over-think governance scenarios.

Additional resources

Sources

Official ISACA Advanced in AI Audit (AAIA) exam page (certifying body)

Exam fee and blueprint last verified 2026-05-22. Confirm current values with the certifying body before scheduling the exam.

What the add-on ships

++Domain reviews aligned to the official ISACA AAIA exam outline

++Three full-length mock exams matching the ISACA scenario format

++Audit-methodology worked examples applied to AI systems including data, models, evaluation, and operational controls

++Mapping of AAIA exam domains to NIST AI 100-1, NIST AI 600-1, and ISO/IEC 42001

++Direct link to the official ISACA AAIA exam page as the canonical reference

Exam summary

Domain reviews

AI Governance Frameworks and Standards

The standards an audit engagement evaluates AI systems against.

++NIST AI 100-1 four functions: GOVERN, MAP, MEASURE, MANAGE
++NIST AI 600-1 GenAI Profile twelve risk categories
++ISO/IEC 42001 AI management system, Annex SL alignment
++EU AI Act risk tiers and conformity assessment requirements
++Sector-specific overlays: HIPAA, FCRA, EEOC guidance

Primary sources:

AI Risk Identification and Assessment

How auditors identify, score, and prioritize AI-system risks.

++AI risk register design: inherent risk, residual risk, control effectiveness
++Risk-scoring methodologies: qualitative matrices, quantitative scoring
++AI-specific risks from NIST AI 600-1 taxonomy
++Third-party AI risk: vendor model cards, AI BOMs
++Sampling and population definition for AI control testing

Primary sources:

AI Audit Methodology (Data, Models, Evaluation, Operations)

How the auditor evidences and tests AI controls across the lifecycle.

++Data provenance and quality audit (training data, fine-tuning data, retrieval corpora)
++Model audit: model card review, evaluation methodology, fairness testing evidence
++Operational audit: deployment process, monitoring controls, incident response
++Audit evidence requirements: documentation, sampling, retesting
++Reporting findings: severity classification, management response, remediation timeline

Primary sources:

AI Ethics, Fairness, Bias from Audit Posture

How the auditor evaluates ethics, fairness, and bias controls.

++Fairness criteria: demographic parity, equal opportunity, equalized odds, individual fairness
++Disparate impact analysis: four-fifths rule, statistical significance testing
++Transparency requirements: model cards, system cards, data sheets for datasets
++Human-in-the-loop and human oversight controls
++Ethics committee design and decision documentation

Primary sources:

Compliance with Major AI Laws and Regulations

The legal regimes an audit must reference and test against.

++EU AI Act conformity assessment, post-market monitoring, incident reporting
++US state AI laws: Colorado AI Act, California SB 942 / AB 2013 / AB 1836
++EEOC AI hiring guidance and enforcement history (iTutorGroup, Mobley v. Workday)
++GDPR Article 22 automated decision-making restrictions
++Sector overlays: HIPAA AI guidance, FCRA, NYC Local Law 144

Primary sources:

Practice scenarios (8)

Preview scenario 1 of 8 · AI Governance Frameworks and Standardsfree preview

A. Project Gantt chart for the AI development effort
B. AI risk register with documented impact assessments, opportunities, and treatment plans tied to the management system's policy
C. Vendor quote for the cloud-hosting provider
D. Executive summary slide deck from the last all-hands meeting

Answer: B

Reference: ISO/IEC 42001:2023 overview

Unlock the rest

7 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $197 one-time, lifetime access.

Exam-day strategy

++Read each question for which NIST function or which clause of ISO/IEC 42001 it is testing. AAIA questions often resolve via the exact taxonomy.

++For EU AI Act questions, identify whether the question is about Provider, Deployer, or User obligations. The right answer often hinges on the role.

++Audit-methodology questions usually have one defensible answer that names the canonical ITAF / NIST guidance. Eliminate options that recommend skipping evidence.

++Watch for distractors that confuse fairness criteria (demographic parity vs equal opportunity). The distinctions are precise and tested repeatedly.

++Pace at roughly 60 seconds per question. 90 minutes is tight if you over-think governance scenarios.