Question 6 - Isaca AAIA Real Exam Questions [Feb 2026 Update]

Q: 6

An IS auditor uses an internally developed generative AI tool to prepare a status update for audit stakeholders. Which of the following is the auditor’s MOST appropriate course of action?

Options

Correct Answer:

Explanation

The auditor's fundamental responsibility is to exercise professional due care, which includes ensuring that all communications and work products are accurate, complete, and supported by sufficient evidence. When using a generative AI tool, the output is merely a draft that assists the auditor; it is not a substitute for professional judgment and verification. The auditor remains fully accountable for the content they disseminate. Therefore, the most critical and appropriate action is to meticulously assess the AI-generated status update for factual accuracy and completeness against the underlying audit evidence before taking any further steps.

Why Incorrect

A: Comparing with a public tool is inappropriate as it introduces data confidentiality risks and does not validate accuracy, since both tools could be flawed or biased differently.

C: Regenerating results only tests the model's output consistency (stability), not the factual correctness of the information provided in a specific instance.

D: Sharing results with management before the auditor has personally verified their accuracy and completeness is a failure of professional due care.

References

1. ISACA. (2023). Artificial Intelligence for Auditing. This white paper emphasizes the principle of human oversight

stating

"Auditors must understand the AI system’s limitations and potential biases... and validate the outputs of AI systems to ensure their accuracy and reliability." This directly supports the need to assess the information before use.

2. ISACA. (2020). ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition. Standard 1204

Professional Due Care

requires IS auditors to exercise care and diligence. Guideline 2204 further specifies that auditors must obtain sufficient and appropriate evidence. An unverified AI output does not constitute sufficient or appropriate evidence; it must be validated by the auditor.

3. Moffitt

K. C.

Rozario

A. M.

& Vasarhelyi

M. A. (2018). Robotic Process Automation for Auditing. Journal of Emerging Technologies in Accounting

15(1)

1-10. While focused on RPA

the principles extend to AI. The paper underscores that automation assists

but does not replace

the auditor's professional judgment and responsibility to validate the outputs of automated systems. (https://doi.org/10.2308/jeta-52047)

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE