Report: Audit Committee - December 01, 2021

-
Via Virtual Meeting room

REPORT NUMBER 145 OF THE AUDIT COMMITTEE

December 1, 2021

To the Business Board,
University of Toronto

Your Committee reports that it held a virtual meeting on Wednesday, December 1, 2021, at 12:00 p.m. with the following members present:

Present:
Joanne McNamara (Chair), Rajiv Mathur (Vice-Chair), Teodora Dechev, Sue Graham-Nutter, Paul Huyer, Rima Ramchandani, Lara Zink

Regrets:
Robert Boeckner

Non-Voting Assessors:
Alex Matos, Director of Internal Audit
Sheree Drummond, Secretary of the Governing Council
Scott Mabury, Vice President, Operations and Real Estate Partnerships
Trevor Rodgers, Chief Financial Officer

Secretariat:
Timothy Harlick, Secretary

In Attendance:
Daniel Ottini, Deputy Director of Internal Audit
Pierre Piché, Controller and Director of Financial Services
Diana Brouwer, Ernst & Young
Francis Low, Ernst & Young
Joyce Yu, Ernst & Young


Audit Committee met in Closed Session



 

ITEM 2 WAS RECOMMENDED. ITEM 3 WAS APPROVED. ALL OTHER ITEMS ARE
REPORTED TO THE BUSINESS BOARD FOR INFORMATION.

Pursuant to section 6.1 of the Audit Committee Terms of Reference, consideration
of items 13 and 14 took place in camera.


  1. Chair’s Remarks

    The Chair welcomed members and guests to the meeting. 

     
  2. Registered Pension Plan
    1. Audited Pension Financial Statements for the Year ended June 30, 2021 
       

The Committee received and reviewed the Audited Pension Financial Statements for the Year ended June 30, 2021.

The Chair reminded members that it was the responsibility of the Committee to review the audited financial statements of the pension plan, along with the accompanying auditor’s report, and to recommend the statements to the Pension Committee for approval. The Chair also noted that with the successful conversion to the University Pension Plan (UPP), the trust assets and the benefits under the University of Toronto Pension Plan had been transferred to and merged into the UPP and the UPP trust fund. The University’s Plan no longer existed as a separate trust or plan. The UPP would be administered by the UPP Board of Trustees, and the Plan was jointly sponsored by the Joint Sponsors. As a result, this was the last time the Committee was required to recommend the audited financial statements of the pension plan for approval.

Mr. Trevor Rodgers, Chief Financial Officer, noted that the Annual Financial Report had been provided as a reference document for members to contextualize the Financial Statements. Dr. Pierre Piché, Controller and Director of Financial Services, then highlighted the following aspects of the financial statements:

  • The plan had had a 24.1% investment return for the year-end and a total valuation of $6.9 billion.
  • The increase in the discount rate to 5.6% had helped lower the pension obligation from $6.4 billion to $6 billion.
  • The pension obligation in the financial statements had been determined on a roll forward basis and therefore differed slightly from the $6.1 billion obligation in the financial report.
  • These were the final audited pension financial statements to be presented to the Committee due to the transfer of the pension fund to the UPP.

    Mr. Francis Low from Ernst & Young, the external auditor for the registered pension plan, then addressed the Committee and reported that he was comfortable with all disclosures, and that the audited financial statements had reflected a fair presentation in all material aspects. He noted that the pension assets had been appropriately determined, the investments had been properly valued, and all required disclosures had been met. As such, there was no hesitation in issuing an unqualified opinion. 

    Discussion

    In response to a member’s question, Mr. Low provided the Committee with an overview of the process Ernst & Young had employed to provide assurance on third parties and non-publicly traded investments and commented that the University of Toronto Asset Management Corporation’s (“UTAM”) processes were also robust.

    On motion duly made, seconded and carried

    IT WAS RECOMMENDED

    THAT the audited financial statements for the University of Toronto Pension Plan for the year ended June 30, 2021 be approved.

     
    1. Pension Plan Annual Financial Report for the Year ended June 30, 2021

The Committee received and reviewed the Pension Plan Annual Financial Report for the Year ended June 30, 2021.

The Report provided context for the Committee’s review of the audited pension financial statements.  

Discussion

In response to a member’s question, Dr. Piché advised that investment return for the year ending June 30, 2021, had been exceptional compared to prior years and that he could not speak to how U of T’s results compared to those of the other universities that comprised the UPP as they had not yet been shared. He also noted that because each university had different risk and reward targets, it would be difficult to make a comparison on others’ returns.

 

  1. External Auditors
    1. Audit Plan (including Engagement Letter for 2022 and Report on Non-Audit Services) 
       

The Committee received and reviewed the Audit Plan (including Engagement Letter for 2022 and Report on Non-Audit Services).

Mr. Rodgers explained that the Engagement Letter sets out the terms of the engagement with Ernst and Young, a summary of the audit approach for 2022, and areas of audit emphasis and risk. 

Ms Diana Bouwer from Ernst & Young reported that the approach taken in respect of the 2022 audit plan had been consistent with the previous year and highlighted that for this year, Ernst & Young would receive University data throughout the year to create efficiencies during year-end. 

Ms Joyce Yu from Ernst & Young provided an overview of the audit plan for 2022 which included its scope and magnitude. She highlighted the estimated planning materiality at 2.2% of estimated total expenses and noted that they would revisit this estimate during their year-end procedures. Ms Yu then discussed the audit emphasis for the upcoming year which included: revenue recognition, impact of COVID-19, risk of management override, employee future benefits, investments, significant capital projects, contracts and agreements, and legal matters.

Discussion

In response to members’ questions, Ms Brouwer and Ms Yu advised the Committee:

  • That the change in planning materiality was not significant given Ernst & Young’s history with the University and emphasized that while there might not be reporting on unadjusted differences under the planning materiality threshold, Ernst & Young still reviewed the data.  
  • That there had been no issues with remote auditing during the previous year and Ernst & Young saw little risk in the continuation of remote auditing. 
  • How data analytics had been used in providing information back to the University and how the data had been kept secured using appropriate tools.
  • That while decreased staffing was an issue facing firms across the sector, Ernst & Young did not anticipate any delays in meeting its reporting deadlines to the University.

    On motion duly made, seconded and carried

    IT WAS RESOLVED

    THAT the Audit Committee accept the external auditors’ audit plan and engagement letter for the University for the year ended April 30, 2022, as outlined in the report from Ernst & Young dated November 9, 2021.

     
    1. Report on Audit Fees

Mr. Rodgers noted that the Report outlined the audit fees charged to Ontario universities from 2016-17 to 2020-21 and had been provided for background and context.

There were no questions from members. 

 

  1. Annual Administrative Accountability Reports, 2020-2021

    The Committee received and reviewed the Annual Administrative Accountability Reports, 2020-2021.

    Dr. Piché explained that all faculty and staff with financial responsibilities, including the President, had been required to complete an Accountability Report for their supervisor.  The President had submitted his report to the Chair of Governing Council. 

    There were no questions or comments from members.

     
  2. Enrolment Report to the Ministry of Colleges and Universities, 2020-2021

    The Committee received and reviewed the Enrolment Report to the Ministry of Colleges and Universities (“MCU”), 2020-2021.

    Mr. Rodgers reminded members that the report was used to confirm the accuracy of enrolment data on which grants to the University were based.  He added that the report was also used by external auditors to substantiate the provincial grant revenue on the University’s financial statements.  

    In response to members questions, Mr. Rodgers noted that:
  • The University maintained a five-year enrolment forecasting model including detailed enrolment plans for all disciplines, and that COVID-19 had had no significant impact on enrolment.
  • The University and the MCU had negotiated an enrolment corridor for the University, and that operating grant revenue remained fixed provided overall enrolment remained within the negotiated corridor.
  • The Provost’s Office worked annually with each of the divisions and campuses to determine overall enrolment targets based on local academic priorities.

     
  1. Internal Audit: Semi-Annual Activity Report for the Six Months Ended October 31, 2021

    The Committee received and reviewed the Internal Audit: Semi-Annual Activity Report for the Six Months Ended October 31, 2021.

    Mr. Alex Matos, Director of Internal Audit, highlighted the following key points:
  • 28 projects had been undertaken; 11 reviews had been completed and an additional three draft reports had been issued.
  • There had been three main categories reported: planned audits with four completed with audit findings that had not indicated the existence of significant unmitigated financial, compliance or operational risk to the University; follow-up audits with six completed that had confirmed that previously identified risks had been appropriately addressed; and continuous auditing and monitoring functions both in operational and research areas.
  • The Office of Internal Audit would be updating the process by which audit recommendations were monitored and followed-up on to ensure informative and effective reporting to the Committee. 
  • Approximately 66% of budgeted audit project hours had been provided from a staff complement of 10.0 full time equivalent (“FTE”), while the audit plan had presumed a staff complement of 11.0 FTE. 

    Mr. Daniel Ottini, Deputy Director of Internal Audit, provided the Committee with an overview of the IT departmental audits highlighting areas of risk where discussion had been ongoing with both the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”). Highlights included succession planning, backup redundancy and testing, PCI:DSS compliance, and end point security for unmanaged devices. Mr. Ottini was pleased to report that a finding that was raised during their past audit work on the SAP (S/4HANA) upgrade pertaining to SAP Disaster recovery had been actioned by ITS and a budget request had been placed for a more comprehensive plan.

    Discussion

    In response to members’ questions, Mr. Matos and Mr. Ottini provided the following comments:
     
  • An overview of how areas of the University were generally chosen for audit planning purposes, noting that the risks identified in the Annual Risk Management Report provided a basis for the approach. Further consultation with senior leadership would occur to identify institutional key risk considerations.
  • Within IT, a survey conducted in 2017 had been utilized to assist in prioritizing areas considered high risk for auditing purposes.
  • Controls had been implemented to mitigate risks associated with revenue recording processes between food services and third-party vendors.
  • There had been an ongoing staff vacancy in Internal Audit that had had an impact on the total number of hours planned for auditing purposes. 

     
  1. Information Security Update

    IT Security Incident

    Mr. Isaac Straley, CISO, provided an overview of a sophisticated cyber incident that had recently occurred at the University. Notifications had been necessary along with identity protection services for some.

    Mr. Straley noted that through the University’s engagement with the Canadian Shared Security Operations Centre (“CanSSOC”), other targeted Canadian universities that had been targeted since UofT’s breach had been able to respond to the attackers quickly and effectively. 

    In response to the security incident, the University had put in place several additional IT security protections and continued to work with units throughout the tri-campus to ensure appropriate security protocols were in place. Mr. Straley expressed concerns about the ability to manage larger attacks if further IT security protocols were not implemented.

    IT Security Dashboard

    An overview of the most recent Information Security dashboard was provided to the Committee.

    Discussion

    In response to members’ questions, Mr. Straley advised the Committee that:
  • Increased training for members of the University community was required.
  • Determining the type of attacker informed the response plan to the attack.  
  • There would be a financial and time cost associated with addressing the breach, highlighting the required notifications, and monitoring services.
  • As part of general cyber incident planning, the University conducted tabletop exercises at an operational level and that elevating tabletop exercises would be beneficial.
  • There was a need for a shared commitment across the University to view cyber security as a high priority and that better infrastructure and clearer reporting should be considered.

    The Committee confirmed its ongoing interest in and support of the administration's cyber incident planning.

    The Chair thanked Mr. Straley for his presentation. 

     
  1. Report of the Previous Meeting: Report 144, October 4, 2021

    The report of the previous meeting was approved. 

     
  2. Business Arising from the Report of the Previous Meeting

    There was no business arising from the report of the previous meeting

     
  3. Reports of the Administrative Assessors

    There we no reports of the Administrative Assessors. 

     
  4. Date of Next Meeting: March 9, 2022, at 4:00 p.m.

    The Chair confirmed that the next meeting of the Committee would be held on March 9, 2022. 

     
  5. Other Business

    There were no items of other business


    The Committee moved in camera.
     
  6. Internal Auditor: Private meeting


    Members of the administration absented themselves and the Committee met privately with the Director and Deputy Director of Internal Audit.

     
  7. Committee Members Alone

    The Committee members met alone. 

    The Committee moved into closed session.

The meeting adjourned at 1:48 p.m.
 

December 2, 2021