ISACA AAIA: The Ultimate Guide to Advanced AI Audit

What Is the ISACA AAIA Certification—and Why Now?

The ISACA Advanced in AI Audit (AAIA) is a specialized certification for experienced auditors who need to evaluate AI systems, advise on AI governance and risk, and apply AI within the audit function. Launched in 2025, AAIA fills a critical gap: organizations are deploying AI quickly, but they also need assurance that AI is controlled, compliant, and delivering real value without unintended harm.

What makes AAIA stand out:

• It is laser-focused on AI audit practice across three domains—Governance & Risk, Operations, and Audit Tools & Techniques.

• It’s aimed at pros who already hold a flagship audit credential (like CISA, CIA, or CPA) and want to validate advanced, AI-specific assurance skills.

• It aligns with the rising demand for AI literacy and digital trust in audit and risk roles. (isaca.org)

Actionable takeaway: If you already operate at a CISA/CIA/CPA level and your organization is rolling out AI, AAIA is a direct signal that you can lead the assurance agenda for AI systems.

Eligibility and Prerequisites: Do You Qualify?

ISACA designed AAIA for professionals with a proven audit foundation. To register, you must hold one of these accepted prerequisites (active and in good standing):

• CISA (ISACA)

• CIA (IIA)

• US CPA

• ACCA or FCCA

• Canadian CPA

• CPA Australia (CPA or FCPA)

• Japanese CPA (JICPA)

You’ll also need to maintain your prerequisite designation while you hold AAIA. After you pass the exam, you have up to five years to submit your AAIA certification application. (isaca.org; isaca.org)

Actionable takeaway: Before you dive into study mode, confirm your eligibility and plan to keep your prerequisite credential active—it’s part of staying certified.

Exam Structure and Content: What You’ll Be Tested On

The AAIA exam is rigorous but practical. Here’s the high-level structure:

• Format: 90 multiple-choice questions

• Time: 150 minutes (2.5 hours)

• Languages: English (Spanish also offered per ISACA Madrid Chapter)

• Delivery: PSI test centers worldwide and remote proctoring (with some country restrictions) (isaca.org; engage.isaca.org)

The content is organized into three domains with weights that indicate how much you’ll see on the exam:

• Domain 1: AI Governance & Risk (33%)
  Policies, roles, ethical principles, risk assessment, data governance, privacy, compliance, and oversight mechanisms for AI systems.

• Domain 2: AI Operations (46%)
  AI/ML lifecycle and MLOps, secure development practices, validation and testing, deployment, monitoring (e.g., drift, performance, bias), change management, incident response.

• Domain 3: AI Auditing Tools & Techniques (21%)
  Scoping AI audits, control design and effectiveness testing, evidence and documentation, AI-enabled analytics in audits, reporting, and communication. (isaca.org)

About scoring: Many ISACA exams use a scaled score (200–800) with 450 as the passing mark. Several training providers list AAIA under this model as well; however, always confirm your sitting’s scoring policy in ISACA’s current candidate guide, as policies can change. (sapience-consulting.com)

Actionable takeaway: Weight your study time to match the blueprint. Domain 2 is the largest slice—plan to spend the most hours on AI operations, monitoring, and controls.

Registration, Scheduling, and Logistics: No Surprises on Test Day

Here’s how the process typically works:

• Register through ISACA to unlock a 12‑month eligibility window to sit for the exam. Appointments are generally available about 90 days out.

• Delivery options: Test at a PSI center or via remote proctoring.

• Country restrictions: Remote proctoring is not available in India, Mainland China, and Hong Kong; those candidates must use test centers.

• Rescheduling: Changes are generally permitted at least 48 hours before your appointment.
  (isaca.org)

Actionable takeaway: Decide early whether you’ll test in-center or remotely. If you’re in a restricted region, book a PSI center seat as soon as you register to secure your preferred date.

Costs and Ongoing Investment: Budget Smarter

You’ll need to plan for initial fees and ongoing maintenance:

• Exam registration: US$459 (ISACA members) or US$599 (non‑members)

• Application processing fee: US$50 (after you pass)

• Maintenance fees: US$20 per year (members) or US$35 (non‑members)

• CPE requirements: 10 AI‑domain CPEs annually; 30 over a 3‑year cycle
  (isaca.org; isaca.org)

Optional costs vary: ISACA’s Review Manual, Online Review Course, and QAE database are paid resources; local chapters and training partners may offer bundles and bootcamps that include an exam voucher. Check your ISACA chapter for member discounts or study groups. (engage.isaca.org)

Actionable takeaway: If you’re not already a member, compare the exam discount plus study-group access against the membership fee—membership often pays for itself.

What to Study: A Domain-by-Domain Deep Dive

Let’s translate the blueprint into a practical study map.

Domain 1: AI Governance & Risk (33%)

What to master:

• AI accountability and ethics: Principles, responsible use policies, RACI roles (e.g., model owners vs. model risk management vs. audit).

• Risk assessment: Bias, privacy, security, explainability, operational resiliency, third‑party/vendor risk for AI components.

• Data governance: Data lineage, quality, retention, lawful basis, consent, sensitive attributes, de‑identification, and secure use.

• Regulatory context: Understand the direction of AI regulation and frameworks such as NIST AI RMF 1.0 and the ISO/IEC 42001 AI management system standard; track your region’s AI laws (e.g., EU AI Act).
  (nist.gov)

Practice scenario:

• Your company wants to deploy a genAI assistant for customer service. Draft a governance checklist covering policy gates, risk assessment, data use constraints, model access controls, logging, and incident criteria before launch.

Actionable takeaway: Build a one‑page “AI policy gate” you can apply to any new AI use case—this will boost both your exam prep and your day job.

Domain 2: AI Operations (46%)

What to master:

• AI/ML lifecycle and MLOps: From data ingestion and feature engineering to training, validation, deployment, and monitoring.

• Testing and validation: Train/test splits, cross‑validation, hold‑outs, fairness testing, adversarial testing, performance thresholds.

• Monitoring and maintenance: Drift detection, bias rechecks, explainability, alerting on metrics (e.g., hallucination rates for LLMs), and change management for model updates.

• Security and resilience: Access control to models/artifacts, prompt injection defenses, data poisoning, model theft, incident response and post‑mortems.

• Vendor and API dependencies: SLAs for model latency, accuracy bounds, privacy promises, red‑team and safety commitments.

Practice scenario:

• You inherit an LLM that drafts audit working papers. Propose a monitoring plan: what metrics you’ll watch (factual accuracy by sample, hallucination rate, prompt‑leak attempts), who gets paged, and how you’ll roll back updates.

Actionable takeaway: Write a 12‑point “AI Operations Control Set” covering data, model, deployment, monitoring, change, and incident response. Refer to it when practicing exam vignettes.

Domain 3: AI Auditing Tools & Techniques (21%)

What to master:

• Scoping an AI audit: Define objectives, in-scope systems (models, data pipelines, APIs), stakeholders, and evidence sources.

• Control testing approaches: Process walkthroughs, configuration reviews, code and pipeline checks, sample‑based output testing, and bias/fairness tests.

• Audit evidence & reporting: Evidence sufficiency for AI contexts, reproducibility of tests, defensible documentation, and clear communication of residual risk.

• AI‑enabled audit analytics: How to responsibly use AI to accelerate testing and analysis without compromising independence or evidence quality.

Practice scenario:

• Plan a limited‑scope audit focused on AI model monitoring. Identify controls (e.g., drift alerts), evidence (dashboards/logs), and test steps to validate effectiveness and timeliness.

Actionable takeaway: Create two audit workpapers—(1) “AI System Scoping” and (2) “Model Monitoring Evidence”—and practice filling them from hypothetical data.

A 90‑Day Study Plan That Works

Here’s a balanced plan you can adjust to your schedule.

Weeks 1–2: Frame the terrain

• Skim the AAIA exam content outline and highlight subtopics you know vs. need to learn.

• Read the executive sections of NIST AI RMF 1.0 and a brief on ISO/IEC 42001 to anchor governance language and control families.

• Take the free 12‑question practice quiz to gauge baseline.
  (isaca.org)

Weeks 3–5: Governance & Risk + quick wins

• Work through Domain 1 in the Review Manual or Online Course.

• Draft your “AI policy gate” and a template for AI risk assessments.

• Do 150–200 practice questions focusing on policy, roles, ethics, data governance, and regulatory alignment.

Weeks 6–8: Operations deep dive

• Spend most of your time here: lifecycle, testing, monitoring, change control, and incidents.

• Build your “AI Operations Control Set” (12 checkpoints) and rehearse on two example systems (e.g., fraud detection model and internal genAI knowledge assistant).

• Do 250–300 practice questions weighted to Domain 2.

Weeks 9–10: Audit tools & techniques + mock exams

• Practice scoping, evidence sufficiency, AI‑enabled analytics, and reporting language.

• Create your two workpapers (scoping and monitoring evidence) and use them in a timed case.

• Take two full‑length timed mock exams (90 questions/150 minutes). Review all misses—especially pattern errors.

Final 7 days: Polishing

• Daily 60–90 minutes on mixed sets, rotating weak subdomains.

• Re‑read your templates (policy gate, ops controls, audit workpapers).

• Confirm your PSI test setup or center location, ID, and timing.
  (isaca.org)

Actionable takeaway: Design your own “AI audit toolkit” (policy gate, operations controls, two workpapers). These artifacts make the content stick and double as on‑the‑job assets.

Smart Registration and Scheduling Tips

• Pick your date first. A clear deadline drives your study cadence. Book within your 12‑month eligibility window as soon as you register.

• Choose delivery wisely. If you’re in India, Mainland China, or Hong Kong, you must test in‑center; elsewhere, remote is an option—ensure a quiet room, stable internet, and compatible device.

• Know reschedule rules. Aim to finalize your slot at least 48 hours in advance to avoid change restrictions.
  (isaca.org)

Actionable takeaway: Book your slot at registration—then backward‑plan your study sprints and mock exams around that date.

Exam-Day Strategy: How to Maximize Your Score

• Use the domain weights. On tough items, ask yourself: is this governance, operations, or tools? Lean on your strongest domain when eliminating distractors.

• Scenario framing. For case‑style questions, anchor on risk, controls, and evidence. Beware of answers that skip monitoring or documentation.

• Time slicing. 90 questions in 150 minutes ≈ 1.6 minutes/question. Flag and move; return later.

• Think “defensible audit.” The right choice usually includes monitoring, explainability, or evidence integrity rather than a one‑time fix.

Actionable takeaway: Practice 3–4 “mini sprints” (15–20 questions in 25–30 minutes) to hone your pace and decision rhythm.

After You Pass: Application, CPEs, and Maintenance

• Application: You have up to five years to submit your certification application after passing.

• CPEs: Earn 10 CPEs per year in the AI domain and 30 CPEs over three years.

• Fees: Pay the annual maintenance fee (US$20 member / US$35 non‑member).

• Keep your prerequisite active: Your CISA/CIA/CPA (or equivalent) must remain in good standing while you hold AAIA.
  (isaca.org)

Actionable takeaway: Set a recurring “CPE calendar” now—mix conferences, ISACA webinars, and hands‑on AI governance projects for credit.

Career Value and ROI: Why AAIA Is Worth It

Here’s why AAIA is timely and high‑impact:

• Employer signal: AAIA shows you can both evaluate AI responsibly and leverage AI to elevate audit quality and efficiency—two priorities for modern audit teams. (isaca.org)

• Regulatory momentum: The EU AI Act and similar initiatives are phasing in; organizations are building AI governance programs, controls, and assurance processes, creating new roles for AI‑savvy auditors. (lemonde.fr)

• Framework alignment: NIST AI RMF 1.0 and ISO/IEC 42001 offer common language and structure—AAIA‑ready auditors can connect audit objectives to recognized frameworks. (nist.gov)

Actionable takeaway: Highlight AAIA plus your prerequisite (e.g., CISA + AAIA) on your résumé and LinkedIn headline; add 2–3 bullet examples of AI audit work to make the signal tangible.

Real‑World Application: Where AAIA Skills Show Up on Day 1

Here are concrete use cases you can tackle with confidence:

• Audit a generative AI assistant:
  Scope the system (model, data, prompts), verify data governance (PII handling, redaction), test controls (role‑based access, prompt injection defenses), define monitoring metrics (hallucination rate, drift), and validate incident response steps.

• Assess an AI‑powered fraud detection model:
  Review training data quality and lineage, evaluate threshold settings and retraining frequency, test for concept drift and false‑positive impacts, verify change management (rollback plans), confirm audit evidence reproducibility.

• Use AI in your audit work:
  Apply AI‑assisted analytics to triage anomalies, generate initial test scripts, and summarize large evidence sets—while preserving independence, traceability, and explainability in your workpapers.

Actionable takeaway: Use your “AI audit toolkit” (policy gate + ops controls + two workpapers) as a starting set for your next AI‑related audit or advisory engagement.

Common Pitfalls—and How to Avoid Them

• Over‑indexing on model accuracy: Accuracy without monitoring and change control is fragile. Always pair performance with governance and ops controls.

• Ignoring data governance: Weak data lineage, consent, and retention controls will sink otherwise good models.

• Uncritical use of AI in audits: Treat AI‑generated outputs as inputs—not final answers. Preserve evidence integrity and human oversight.

• Studying evenly across domains: The exam is not weighted evenly; invest most time in Domain 2 (46%).
  (isaca.org)

Actionable takeaway: In your notes, mark every practice question you miss by domain and root cause; correct patterns (e.g., missed monitoring steps) rather than isolated facts.

Quick Reference: Official Sources and Must‑Know Policies

• AAIA program home (eligibility, costs, logistics) and free practice quiz

• AAIA exam content outline (domains/weights)

• Candidate guide hub (scheduling, retakes, scoring policies—confirm for your sitting)

• Maintain AAIA (CPEs, fees, ongoing requirements)

• Launch and eligibility‑expansion press (context and updates)
  (isaca.org; isaca.org; isaca.org; isaca.org; isaca.org)

Actionable takeaway: Bookmark the AAIA exam content outline and the candidate guide hub—you’ll reference them repeatedly during prep.

FAQs

Q1: How many questions are on the AAIA exam, and how long is it?
A1: 90 multiple‑choice questions, 150 minutes. English is available; Spanish availability is confirmed via ISACA Madrid Chapter. Always verify your language options at registration. (engage.isaca.org)

Q2: What is the passing score?
A2: Training partners indicate a scaled model (200–800) with 450 to pass. Confirm the current scoring and retake policy for your specific sitting in ISACA’s candidate guide. (sapience-consulting.com; isaca.org)

Q3: Can I take the exam online?
A3: Yes—remote proctoring is offered in many regions, but candidates in India, Mainland China, and Hong Kong must test at PSI centers. (isaca.org)

Q4: How much does AAIA cost?
A4: US$459 for ISACA members, US$599 for non‑members; after passing, a US$50 application processing fee applies. (isaca.org)

Q5: What are the maintenance requirements?
A5: 10 AI‑domain CPEs per year, 30 over three years, plus an annual maintenance fee (US$20 member / US$35 non‑member). You must also maintain your prerequisite certification (e.g., CISA/CIA/CPA). (isaca.org)

Conclusion:
If you want to be the go‑to auditor for AI—someone who can evaluate AI systems, improve AI governance, and safely apply AI in audit—AAIA is a powerful next step. Start by confirming your eligibility, schedule your date, and follow the 90‑day plan. Build your own AI audit toolkit as you study. When you pass, you’ll join a growing community of auditors at the front line of AI assurance and digital trust.