Question 17
Domain 1 — AI Governance and Risk ManagementAn IS auditor uses an internally developed generative AI tool to prepare a status update for audit stakeholders. Which of the following is the auditor's MOST appropriate course of action?
Correct answer: B
Explanation
An auditor must verify AI-generated content before relying on it, because generative tools can produce incomplete or inaccurate output. The most appropriate action is to "assess whether the information provided is complete and accurate" before sharing it with stakeholders, ensuring the status update is reliable and consistent with audit evidence.
Why each option is right or wrong
A. Compare results with a publicly available generative AI tool to ensure outputs are similar.
B. Assess whether the information provided is complete and accurate.
ISACA’s Code of Professional Ethics requires members to perform duties with due diligence and in accordance with professional standards, which in practice means not relying on unverified AI output as audit evidence or stakeholder communication. Because the status update is being prepared from an internally developed generative tool, the auditor must validate the content against underlying audit records and confirm it is complete and accurate before distribution; otherwise the communication could be misleading or materially incomplete.
C. Regenerate the results to ensure similar outputs are provided.
D. Share and review the results with management.