How do other Internal Audit functions resource their internal QA program? For QA of samples of audit files (hot and cold reviews) and other thematic QA topics such as issue/action validation how is this delivered? Do you use external co-source firm to deliver QA services, or have an internal QA function or resource, or have peer reviews of audit files etc?

We currently have a separate QA function responsible for the QA Improvement Program. We do a post completion engagement review (cold review) to validate against IIA performance standards. Hot review is performed by IA management. For the cold review, we have a formal report that we communicate to the team members involved in the audit including the CAE and discuss the result which typically include best practices, gaps, and improvement opportunities. 

The answer to this question can be vary subjective and varies based on a lot of factors like the organization, industry, regulatory requirements, etc. 

Some commonly used approaches for QA of audit files are:
- Internal QA function, where the team is responsible for designing and executing the QA program. The may conduct reviews of audit files (hot and cold), validate issues and ensure compliance with internal policies and external standards
- External Co-sourcing, that is adopted by some organizations to conduct QA reviews. These external firms are experts in audit processes and provode an objective assessment, specially regarding the compliance with standards.
- Peer Reviews, involve internal auditos reviwing each other's work. This is an effective way to ensure consistency across audits. Constructive criticism is the key here.
- Mixed approach, can also be adopted by some organizations. This approach utilizes a combination of the external and internal QA resources. 

Overall it is the organization's choice about their level of independence and objectivity.