REPORT NUMBER 142 OF THE AUDIT COMMITTEE
April 26, 2021
To the Business Board,
University of Toronto
Your Committee reports that it held a virtual meeting on Monday, April 26, 2021, at 4:00 p.m. with the following members present:
Janet Ecker (Chair), Joanne McNamara (Vice-Chair), Teodora Dechev, Robert Boeckner, Kathryn Jenkins, Sue Graham-Nutter, Rajiv Mathur, Andrew Szende, Lara Zink
Mark L. Britt (Director, Internal Audit), Sheila Brown (Chief Financial Officer), Sheree Drummond (Secretary, Governing Council), Scott Mabury (Vice President, Operations and Real Estate Partnerships)
Tracey Gameiro, Secretary, Audit Committee
Diana Brouwer (Ernst & Young), Alanna Charles (Ernst & Young), Daniel Ottini (Deputy Director, Internal Audit), Isaac Straley, (Chief Information Security Officer)
Bo Wandschneider, (Chief Information Officer)
Audit Committee met in Closed Session.
ITEM 2 WAS APPROVED. ALL OTHER ITEMS ARE REPORTED
TO THE BUSINESS BOARD FOR INFORMATION.
Pursuant to section 6.1 of the Audit Committee Terms of Reference,
consideration of items 10 and 11 took place in camera.
- Chair’s Remarks
The Chair welcomed members and guests to the virtual meeting and reminded those in attendance that the Committee meets in closed session.
- Report of the Previous Meeting
Report Number 141, from the meeting of March 3, 2021, was approved.
- Business Arising from the Report of the Previous Meeting
There was no business arising from the report of the previous meeting.
- Reports of the Administrative Assessors
In response to the Committee’s request for information regarding the procedure for reporting incidents of suspected financial impropriety, as well as further detail regarding indications of cybersecurity risks revealed during audit investigations, Mr. Mark Britt, Director of Internal Audit, reported the following:
Reporting Incidents of Financial Impropriety
- Where Internal Audit determines that an investigation should be undertaken, it will be guided by the Procedure for Reporting of Incidents of Suspected Financial Impropriety. (“the Procedure”).
- Once substantiated, serious allegations of financial impropriety are reported to the Audit Committee.
- Reviews are undertaken confidentially until the end of the investigation, at which point a report is disseminated to a limited group of select individuals in the administration.
- Internal Audit reports any investigations to the Committee on a semi-annual basis.
- The Procedure was last reviewed by the Audit Committee in 2014 and approved at that time
As part of the ensuing discussion members queried the incidence of fraud in recent years and what could be done to increase awareness of the reporting mechanism so that members of the community were aware of the fact that they had a channel by which to report their concerns. A suggestion was made whether having an anonymous whistleblower hotline would be of benefit.
In response, Mr. Britt observed the following
- more education around what ‘fraud’ was would raise the profile of the issue across the institution – this could be done through more prominent web content and staff development training;
- the Procedure was referenced in the annual accountability report;
- anonymous reporting hotlines were the most effective fraud detection tool, and while the decision had been made years prior to adopt the Procedure in place of a whistleblower hotline, it was expected that the fraud risk assessment currently underway and soon coming to a close, would report on this issue in some way;
- in the current year, two incidences of suspected fraud were reported – one which resulted in criminal charges, the other which concluded no fraud had occurred.
Members noted that adoption of a whistleblower hotline should be revisited following review of the fraud risk assessment report.
Speaking to the progress made at the divisional level toward development of information security protocols, Mr. Daniel Ottini, Deputy Director of Internal Audit, reported that there was broad alignment and commitment across the university, but a lack of resources and competing priorities were ongoing challenges.
In response to members’ questions, Mr. Ottini reported that discussions were ongoing between departments and the Office of the Chief Information Security Officer and Chief Information Officer, as well as with Internal Audit, regarding endpoint security planning, formal disaster and security response planning, and developing local expertise.
- Draft Audited Financial Statements and Notes – April 30, 2021
The Committee received this item for information. The Chair explained that the Committee would be asked to recommend the full report to the Business Board for approval. Ms. Sheila Brown, Chief Financial Officer, spoke to the Notes and highlighted the major changes that had been made which included:
- Note 3 - Investment: reference had been made to responsible investing.;
- Note 5 – Employee benefit plans: the note had been revised to reflect accounting for recording the pension obligation to reflect the transfer to the UPP.
- Note 11 Endowments –wording had been updated to reflect anticipated results at April 30, 2021;
- Note 15 Donations – the note was expanded to disclose a donation that will not be recorded as revenue until it is spent and that will be deferred on the balance sheet.
- Note 18(b)TRIUMF – the note was amended to include the incorporation of the joint venture.
In response to a member’s question submitted in advance regarding University Pension Plan (UPP) expenses incurred by the University, Ms. Brown explained that the 2020 figure was not included in the draft notes because this note disclosure was new this year, and the 2020 comparator figure would have to be audited before it was added to the note.
As part of the ensuing discussion, Ms. Brown stated the following:
- The University Pension Plan Ontario (“UPP”) and its three founding member universities had been a broadly discussed initiative over many years ;
- financial results were not anticipated to result in a change to the MARS investment note;
- as stated by the external auditor, audit procedures would remain unchanged with respect to tracking operational and research funds.
- External Auditors - Report on Non-Audit Services by the External Auditor for the Period from October 1, 2020 to March 31, 2021
The Chair noted that in accordance with the Policy on the Use of the External Auditor for Non-Audit Services, the Audit Committee receives from the administration a quarterly report, resulting in an annual report. The report provided details of the payments made to the external auditors with respect to non-audit services for the period of October 1, 2020 to March 31, 2021.
There were no questions from members.
- Annual Report: Information Security and the Protection of Digital Assets
Members received the Annual Report on Information Security and the Protection of Digital Assets for information. Chief Information Security Officer, Isaac Straley began his report with an outline of key accomplishments that were made to improve the institution’s security posture. These included: (1) approval of shared key security standards, (2) enhanced user security with Multi-Factor-Authentication (MFA), (3) a modernized institutional firewall, (4) completion of the first divisional data inventory and self risk assessment, and (5) improved incident response capability.
He went on to outline the need for additional local investment and clear lines of accountability to unit leaders to address the lack of local knowledge and expertise at the divisional level.
Mr. Straley noted that with the emergence of mobile technology, cloud computing, and the move to remote work, the potential for breaches of proprietary information and damage to organizational IT infrastructure has increased, transforming the IT risk landscape at a rapid pace.
In conclusion, Mr. Straley outlined the “Secure U (of T”) initiative which was aimed at enabling secure post pandemic remote work. The Secure U priority projects were:
- empowering users by increasing awareness and education;
- protecting user accounts with MFA;
- increasing protections on devices such as laptops;
- focusing on enabling more online share and collaboration securely.
The Chair thanked Mr. Straley for his report and reiterated the Committee’s concern that governance oversight of cybersecurity remain a high priority, especially with the pivot to remote work, teaching, learning and research, as a result of the pandemic.
- Date of the Next Meeting
Members were reminded that the next meeting, the Committee’s last for 2020-2021 governance year, was scheduled for June 16, 2021.
- Other Business
No other business was noted.
THE COMMITTEE MOVED IN CAMERA.
- Internal Auditor – Private Meeting
Members of the administration as well as the Committee Secretary absented themselves and the Committee met privately with the Director of Internal Audit.
- Committee Members Alone
Committee members discussed topics of interest and concern.
The Committee returned to Closed Session.
The meeting adjourned at 5:42 p.m.
April 28, 2021