REPORT NUMBER 147 OF THE AUDIT COMMITTEE
April 25, 2022
To the Business Board,
University of Toronto
Your Committee reports that it held a virtual meeting on Wednesday, April 25, 2022, at 4:00 p.m. with the following members present:
Joanne McNamara (Chair), Rajiv Mathur (Vice-Chair), Robert Boeckner, Teodora Dechev, Sue Graham-Nutter, Paul Huyer, Rima Ramchandani, Lara Zink
Alex Matos, Director of Internal Audit
Sheree Drummond, Secretary of the Governing Council
Scott Mabury, Vice President, Operations and Real Estate Partnerships
Trevor Rodgers, Chief Financial Officer
Timothy Harlick, Secretary
Bo Wandschneider, Chief Information Officer (for items 2 and 3)
Isaac Straley, Chief Information Security Officer (for items 2 and 3)
Kalyani Khati, Associate Director, Information Security Strategic Initiatives (for items 2 and 3)
Pierre Piché, Controller and Director of Financial Services
Jeff McIlravey, Audit Manager
Diana Brouwer, Ernst & Young
Joyce Yu, Ernst & Young
Audit Committee met in Closed Session
ITEM 6 WAS APPROVED BY THE COMMITTEE. ALL OTHER ITEMS ARE REPORTED TO
THE BUSINESS BOARD FOR INFORMATION.
Pursuant to section 6.1 of the Audit Committee Terms of Reference, consideration of items
11 and 12 took place in camera.
- Chair’s Remarks
The Chair welcomed members and guests to the meeting.
- Information Security Update: Information Security Program and Governance
The Chair welcomed Bo Wandschneider, Chief Information Officer, Isaac Straley, Chief Information Security Officer, and Kalyani Khati, Associate Director, Information Security Strategic Initiatives, Associate Director, Information Security Operations, to the meeting and invited Mr. Straley to offer his presentation to the Committee.
Mr. Straley provided a presentation on the University’s Information Security Program and Governance highlighting the following points:
- An overview of the University’s Policy on Information Security and the Protection of Digital Assets, that included the role and responsibilities of the Chief Information Security Officer, units within the University, and the Information Security Council (“ISC”).
- An overview of the ISC and its working groups that addressed mandates on education and awareness, risk compliance, metrics and reporting; incident response planning; procedures, standards and guidelines; and research.
- The key accomplishments of the ISC, some of which included endorsements of several initiatives such as: multi-factor authentication; Data Classification Standard, Baseline Information Security Standards, Incident Response Plan, and Remote Work Guidelines; strategies for the recruitment and retention of Information Security professionals; and the Data Asset Inventory and Information Risk Self-Assessment for units to measure and report on risk.
In response to questions asked by members, Mr. Straley provided the following:
- The Information Security Program that had been implemented could address the continuously evolving nature of cybersecurity risks including ransomware, particularly given the current geopolitical environment.
- The Information Security Risk Self-Assessment process had been launched for the entire university, with the Office of the Chief Information Security Officer leading education and training sessions to increase participation.
- Incident reporting, including reporting of near misses, continued to be a focus for process improvement.
- Through administrative policies, there were adequate enforcement mechanisms in place to address high risk situations.
The Chair thanked Mr. Straley for his presentation.
- Annual Report: Information Security and the Protection of Digital Assets
Members received the Annual Report on Information Security and the Protection of Digital Assets for information. Chief Information Security Officer, Isaac Straley reported on the key accomplishments that were made to improve the institution’s security posture which included expanded security standards and guidelines; improved resilience awareness and incident response; increased UTORID account security; a completed annual divisional data asset inventory and information risk self assessment; enhanced security for email and collaboration platforms; and an expanded CanSSOC.
In the ensuing discussion, Mr. Straley provided the following:
- Input from multiple sources, including the External Security Assessment and the Information Security Council was considered to set University’s targets for the Data Asset Inventory and Information Risk Self-Assessment.
- The tailored framework for DAI-IRSA was important and high-quality self-reporting was essential in providing assurance on information security risks.
- That while the Report indicated not all units had completed self-reported DAI-IRSA’s, the units that had not done so did indicate they had been following appropriate processes.
- Presentations on the use of program elements across divisions to senior administration had been an effective in encouraging further adoption of program elements within the University.
- The ISC was continuously evolving its practices and approaches on educating the University community on the benefits of the Information Security Program.
The Chair thanked Mr. Straley for his report.
- Draft Audited Financial Statements and Notes - April 30, 2022
The Committee received Draft Audited Financial Statements and Notes - April 30, 2022 for information. The Chair explained that the Committee would be asked at its June 20, 2022 meeting to recommend the full report to the Business Board for approval. Dr. Piche, Controller and Director of Financial Services, reported on the Notes and highlighted the major changes that had been made which included:
- Note 2 (h) – Pension plans: The accounting policy note had been expanded to include how the University accounted for its membership in the University Pension Plan Ontario (‘UPP”), the new Supplementary Account Plan and the now closed Supplemental Retirement Arrangement plan (“SAP”).
- Note 5 – Employee benefits plans: Revised disclosure on the responsibility of members and employers of the UPP and related contributions by the University. Disclosure of the obligations of the University for the net pension obligations related to the service up to July 1, 2021.
He also noted that the COVID note disclosure had been removed due to its immaterial impact on the University’s financial statements for 2022.
In response to questions asked by members, Dr. Piché clarified the notional and actual contribution requirements and costs associated with the SAP and those liabilities would be included in the annual financial report.
The Chair thanked Dr. Piché for his report.
- Report on Non-audit Services by the External Auditors for the period from October 1, 2021 to March 31, 2022
The Chair noted that in accordance with the Policy on the Use of the External Auditor for Non-Audit Services, the Audit Committee receives from the administration a quarterly report, resulting in an annual report. The report provided details of the payments made to the external auditors with respect to non-audit services for the period of October 1, 2021, to March 31, 2022.
Ms Diana Brouwer, Ernst & Young (“EY”) noted that EY had acquired SuMO, a Service Now provider that had been previously engaged by the University. An assessment had been completed and confirmed that EY’s independence was not impeded by the relationship.
There were no questions by members.
- Report of the Previous Meeting: Report 146, March 9, 2022
The report of the previous meeting was approved.
- Business Arising from the Report of the Previous Meeting
There was no business arising from the report of the previous meeting.
- Reports of the Administrative Assessors
There we no reports of the Administrative Assessors.
- Date of Next Meeting: June 20, 2022, at 4:00 p.m.
The Chair confirmed that the last meeting for the 2021-2022 governance year for the Committee would be held on June 20, 2022.
- Other Business
There were no items of other business.
The Committee moved in camera.
Internal Auditor: Private meeting
Members of the administration absented themselves and the Committee met privately with the Director and Deputy Director of Internal Audit.
Committee Members Alone
The Committee members met alone.
The Committee moved into closed session.
The meeting adjourned at 5:33 p.m.
April 26, 2022