If your audit department has a Quality Assurance Program, how are you selecting audits to review? Additionally, does anyone complete horizontal reviews, e.g. doing a full-scope review of the issue management process, scoping process, work papers, etc.? If so, how are you going about sampling or selecting for the years QA reviews?

I've seen the QA function in various forms over the years.  From high-level reviews of all audits to detailed reviews of a sample of audits.  I think the detailed reviews provide the best feedback that drives training, development, and over all better working papers.  The detailed reviews are horizontal, as you phrased, but the QA reviewer is not repeating any activities.  The reviews include planning, scoping, fieldwork record of work done, observations, and the alignment of all of these to ensure nothing was overlooked.  Also, the communications between the client before, during, and after fieldwork are reviewed.  With automated working papers, the effort can be done in a few days.   Heavy use of templates that are used to guide the QA reviewer so that the QA approach is consistently applied.  All this work is done with less than 2% of overall IA salaries and wages.

Sampling is acheived, not randomly, but with fair amount of judgement.   Minimum number of audits per different lines of business, processes, and unplanned audits is the target, rather than a percent of any or all audit reports produced.  

Similar to a construction project, some of the findings by the QA function have to be "fixed" before the audit can be closed, while other findings would be identified and communicated to stakeholders, but still allow the audit to be closed.  Every effort is made to minimize debates/ discussions/ arguments with those who performed the audit itself by having standards and objective criteria.

Best Wishes.

1 completed audit per quarter and making sure that all lead auditors were selected for QA for the year. We leveraged the IIA QA Manual to assess the performance standards from planning, execution, reporting and follow up. 

We have a 3 stage approach.  At the end of each audit the auditees receive a satisfaction questionnaire which asks about the process, the communication throughout the audit, and the quality of the findings and recommendations.  In addition the VP of each area goes through a quality gate with the auditor at the end of each audit to get and give feedback on the quality of the audit, reviewing the working papaers and how they relate to the eventual findings.  Finally twice a year all executives are asked to complete an iNPS rating for the department as a whole.

We select approximately 15% of our audits to review per year, and utilize a combination of judgmental and random selection, to ensure thorough coverage across all of our team.  Our review covers the complete audit life cycle from risk assessment/planning through the issuance of the final audit report.  We don't currently include issue management, although will be assessing and updating our program to incorporate the requirements from the new standards.

One should conduct a thorough risk assessment to identify potential areas of risk within the organization. This involves understanding the business processes, identifying vulnerabilities, and assessing the impact of potential risks. One should take inputs from key stakeholders, including management on areas that should be included in the audit scope. This ensures that the audit addresses relevant concerns and covers high risk areas. The high-risk areas should be in audit scope every year. The medium ones once in 2 years and low risk ones can be covered once in 3 years so that all processed of your organization get covered in a cycle of 3 years.