Report: Audit Committee - December 3, 2019

---

REPORT NUMBER 135 OF THE AUDIT COMMITTEE

Mark L. Britt (Director, Internal Audit*), Sheila Brown (Chief Financial Officer), Sheree Drummond (Secretary, Governing Council), Kenneth Corts (Acting Vice President, Operations)

SECRETARIAT:
Tracey Gameiro (Audit Committee)

IN ATTENDANCE:
Diana Brouwer (Ernst & Young), Richard Levin (Executive Director of Enrolment Services and University Registrar), Francis Low (Ernst & Young), Jeff McIlravey (Audit Manager, Internal Audit), Daniel Ottini (Deputy Director, Internal Audit), Pierre Piché (Controller and Director of Financial Services), Isaac Straley (Chief Information Security Officer), Bo Wandschneider (Chief Information Officer), Joyce Yu (Ernst & Young)

*via conference call

Audit Committee met in Closed Session.

ITEMS 2, 5(a) WERE APPROVED.  ITEM 4 IS RECOMMENDED TO THE BUSINESS BOARD.  ALL OTHER ITEMS ARE REPORTED TO THE BUSINESS BOARD FOR INFORMATION.

Pursuant to section 6.1 of the Audit Committee Terms of Reference, consideration of items 13 and 14 took place in camera.

---

1. Chair’s Remarks

The Chair welcomed members and guests to the meeting and reminded all that the Committee meets in closed session.

2. Report of the Previous Meeting

Report Number 134, from the meeting of September 9, 2019, was approved.

3. Business Arising from the Report of the Previous Meeting

There was no business arising from the report of the previous meeting.

At this time the Chair advised members that to ease scheduling issues for some of the presenters the order of the agenda would be varied slightly. Specifically, the discussion of Item 3, Business Arising from the Report of the Previous Meeting, would be followed by Item 9, the Information Security Update, and then by Item 6, the Internal Audit: Semi-Annual Activity Report for the Six Months Ended October 31, 2019.   The order of business would thereafter continue as set out in the planned agenda.

4. Information Security Update (Item 9 on the Agenda)

The Committee welcomed Chief Information Security Officer, Mr. Isaac Straley and invited him to provide an update on information technology and its associated security risks at the University. 

Mr. Straley provided an overview of two recent cyber security incidents.  While specific details of the incidents could not be shared as they remained under investigation, Mr. Straley made general remarks regarding incident response, planned initiatives and ongoing challenges including that:

• Timely incident response was challenged by the distributive nature of IT services across the institutions, but recent incidents had created an opportunity to strengthen relationships and improve communication;
• Costs to respond are high, especially when using third parties.  There are no formal reserve funds or risk vehicles for managing these costs.
• Internal response capacity is low and process maturity is low.
• A self-assessment component would be added to the external assessment of the University’s security program which was in progress, allowing for more a more in depth analysis;
• To increase response times, a competitive bidding process for forensic services was being undertaken; 
• Interim incident response guidelines had been drafted;
• Cyber security insurance coverage options continued to be explored.

In closing, Mr. Straley remarked that while addressing recent incidents had had an impact on timelines for other projects, support from the administration and divisions to access the financial resources needed to address those needs and get other projects on track had been positive, but more work needs to be done. He did note however, that recruitment efforts were ongoing to address capacity in terms of human resources.

As part of the discussion, a member raised the issue of whether it was possible to create a process whereby changes could be implemented given the decentralized structure of the University.  In response, Mr. Straley addressed the challenge with connectivity but was optimistic that there was increased awareness around issues of cyber security amongst the divisions.  This was especially true given the attention to recent events.  He added that while the sharing of experiences and ‘lessons learned’ was critical to the process of ensuring increased security, but did acknowledge that more work was needed to articulate the cost impacts associated with not prioritizing cyber security, recovery plans, and ongoing testing of back up strategies.

The Chair thanked Mr. Straley for his report.

5. Internal Audit: Semi-Annual Activity Report for the Six Month Ended October 31, 2019 (Item 6 on the Agenda)

The Chair informed members that the Audit Committee Terms of Reference included the review of a semi-annual report from the Internal Auditor.  He invited Mark Britt, Director, Internal Audit, to present his report.

Mr. Britt reported that there were no major detractions from the plan and that the amount of work that had been completed or was in progress was commensurate with what was anticipated. Fifteen reviews were completed and thirteen were in progress, with five draft reports having been issued and three investigations completed during the review period.  Mr. Britt advised members that the audit reviews to date did not indicate the existence of significant unmitigated financial, compliance or operational risk to the University.  He noted that the emphasis of work had been in the information technology (“IT”) space.

Mr. Britt was confident that a substantial part of the audit plan would be completed by year’s end. He shared that there was a great deal of cooperation and desire to make improvements

In further discussion of the audit of IT systems, a member asked whether the process involved verification of back up systems.  In response, Mr. Britt informed members that this was indeed a component of every departmental unit, with a specific portion of the questionnaire dedicated to back up and restoration policies and processes.

The Committee returned to consideration of the order of business as set out in the agenda.

6. Registered Pension Plan

a. Audited Financial Statements for the Year ended June 30, 2019

The Chair explained that the Audit Committee reviews the audited financial statements of the pension plan and the accompanying auditor’s report, and recommends the financial statements to the Pension Committee for approval.  The Pension Committee, on the recommendation of the Audit Committee, had the authority to review, approve, reject or refer back the audited financial statements of the registered pension plan.  Following these introductory remarks, the Chair invited Chief Financial Officer, Sheila Brown, to speak to the item.

Ms. Brown advised the Committee that the registered pension plan’s Audited Financial Statements and Annual Financial Report provided a status of the overall financial health of the plan.  To that end, she noted that the Annual Financial Report was included solely to provide context and a broader framework in which to review the Financial Statements.  Ms. Brown went on to point out that there were slight differences in the reporting between the two documents.  She explained that while the Audited Financial Statements confirmed the value of the assets and the roll-forward of liability from the July 1, 2018 actuarial valuation to June 30, 2019, they did not include the salary increases at July 1, 2019 that were incorporated in the actuarial valuation, which was included in the Annual Financial Report. In conclusion, Ms. Brown noted that other than a small difference in the deficit between the two reports, the results were very similar to last year.

Dr. Pierre Piché, Controller and Director of Financial Services, drew members’ attention to the following aspects of the financial statements:

• The impact on the interest rate and credit risk note disclosures resulting from UTAM’s substitution of its bond repurchase program with a bond swap program;
• The simplification of the derivative financial instruments note;
• The update to Note 9 regarding the proposed conversion to the new jointly sponsored pension plan (“JSPP”) to incorporate revised disclosure of the consent process; and

• The addition of the ‘emphasis of matter’ disclosure in the auditor’s report.

In closing, Dr. Piché noted that the Financial Services team would undertake a review of the University of Toronto’s financial statements with a view to making the disclosure related to derivatives and financial instruments more understandable to the lay person with a move towards more plain language.  

Francis Low of Ernst & Young, the external auditor for the registered pension plan, then addressed the Committee and reported that he was comfortable with all disclosures, and that the audited financial statements reflected a fair presentation in all material aspects.  He added that he was comfortable with all the changes that were made to the notes, and that the addition of the ‘emphasis of matter’ paragraph was consistent with new auditing standards that mandated an expanded version of the audit report (as tailored to the pension plan).    Mr. Low stated that the audit’s emphasis continued to be on pension obligations and investment assets, and disclosures required from an accounting perspective as determined by the Ontario pension regulator.

Addressing a member’s query regarding the credit risk note disclosure, Dr. Piché explained that the decrease in the fair value of the fixed income securities directly held by the plan was due to the replacement of the bond repurchase program with a bond swap program.  He stated that while this transition did not necessarily mean a change in level of risk, it did represent a change as this note includes the impact of directly held securities and does not take into account bond swaps. The member noted that it might be beneficial to the reader to add an explanatory clause noting ‘reflecting change from repo to bond swap program’.

In response to a member’s query regarding the increase in investment management fees not being in line with assets, Ms. Brown explained that this was a reflection of both changes in strategies, and private investments being added which had higher upfront fees.  She noted that a full fees and expenses report was provided to the Pension Committee.

In reply to a question from a member regarding the scope of reporting that would be provided from the new JSPP, Ms. Brown informed the Committee that reporting obligations were still being determined, the extent of which would be considered by the JSPP’s Board of Trustees.

Regarding whether higher audit fees would be incurred related to the JSPP, Ms. Diana Brower, Engagement Partner, Ernst & Young, explained that the audit would take place up to the effective transfer date, after which responsibility would be transferred to the auditors selected by the JSPP’s Board of Trustees.

On a motion duly moved, seconded and carried
YOUR COMMITTEE RECOMMENDS
THAT the audited Financial Statements for the University of Toronto Pension Plan for the Year ended June 30, 2019 be approved.

b. Annual Financial Report for the Year ended June 30, 2019

The University of Toronto Pension Plan Annual Financial Report for the year ended June 30, 2019 was received by the Committee for information.  The Report provided context for the Committee’s review of the audited pension financial statements. 

There were no additional questions from members.

7. External Auditors

a. Report on Non-Audit Services by the External Auditors

The Chair advised that in accordance with the Policy on the Use of the External Auditor for Non-Audit Services, the Audit Committee received a quarterly report that resulted in an annual report that detailed payments made to the external auditor with respect to non-audit services.  For transparency and historical record, the items had been separated out on the meeting agenda.

b. Engagement Letter for 2020 and Audit Plan

Ms. Sheila Brown explained that the Engagement Letter sets out the terms of the engagement, a summary of the audit approach for 2020, and areas of audit emphasis and significant risk.

Ms. Joyce Yu of Ernst & Young stated that the approach taken in respect of the 2020 audit plan was consistent with past years for both the University’s and pension plan’s financial statements. She reported  that new accounting standards would be effective for years beginning on or after January 1, 2020 (the University’s 2021 year end), the implications of which would require the University to revisit current disclosures to ensure that they were in compliance. 

The Chair indicated that he was not aware of any items that would impact audit plans for the current financial year.

On a motion duly moved, seconded and carried
IT WAS RESOLVED
THAT the Audit Committee accept the external auditors’ audit plan and engagement letter for the University for the year ended April 30, 2020, and for the pension plan for the year ended June 30, 2020, as outlined in the report from Ernst & Young dated December 3, 2019.

​​​​​​​c. Report on the Audit Fees

The Committee received the Report on Audit Fees Charged to Universities of Ontario 2016-17 to 2017-18 from the Council of Ontario Finance Officers (Prepared February 2019), for information.

8. Annual Administrative Accountability Reports, 2018-19

The Chair reminded members that in accordance with the Audit Committee’s Terms of Reference, the Committee reviews the operation of the University’s system of annual financial and administrative accountability reports.  Upon invitation, Dr. Piché, addressed the Annual Administrative Reports, 2018-19.  Dr. Piché explained that all staff with financial responsibilities, including the President, were required to complete an Accountability Report for their supervisor.  The President had submitted his report to the Chair of Governing Council.

There were no questions or comments from members.

9. Enrolment Report to the Ministry of Training, Colleges and Universities, 2018-19

The Chair advised members that the Audit Committee Terms of Reference provided for the Committee to review such university related financial statements and reports as the Business Board instructed, or the Audit Committee deemed appropriate. The Enrolment Report, 2018-19 was presented by Dr. Pierre Piché, and provided for information.

Dr. Piché explained that the enrolment audit was required by the Ministry of Training, Colleges and Universities and used to confirm the accuracy of enrolment data on which grants to the University were based.  He added that the report was also used by external auditors to substantiate the provincial grant revenue on the University’s financial statements. 

There were no questions from members.

10. Reports of the Administrative Assessors

In response to expressed interest from the Committee to have a briefing on risks surrounding admissions fraud, the Committee received a presentation from Mr. Richard Levin, Executive Director Enrolment Services and University Registrar.   

Mr. Levin prefaced his comments by stating that these issues were not unique to the University of Toronto and challenges faced by all post-secondary institutions. 

The presentation included an overview of the following:

1. Types of frauds and risks
   1. Incoming credentials
      • falsified university transcripts, falsified high school credentials, fraudulent test scores
   2. Outgoing credentials to gain admission to other universities or for employment
   3. Immigration fraud
      • admission documents created to obtain entry to Canada
2. Detection and mitigation strategies:
   1. Trained, experienced admissions staff and robust processes
   2. Advocacy work with the Council of Ontario Universities for increased regulation of  private high schools

Mr. Levin concluded his presentation with the recommendation that the best solution to address admissions fraud was the exchange of digital data in place of hard copies. To that end he advised that Canadian universities were looking at working with national registrars to exchange digital information nationally.   Mr. Levin also reported that the University had released its ‘e-transcript’ two weeks prior with great success.  He stated that this was a secure digital document, with no added costs to students beyond what they would have paid for a paper transcript, and with increased delivery times (currently at two hours but moving towards 20 minutes).  Mr. Levin reported that while general uptake rates were in the 30-40% range, the University had experienced an 80% update in the first few days of launching the digital transcript.

In response to a member’s question, Mr. Levin confirmed that the system could accommodate any graduation date, and that the PDF transcripts were generated directly from the system with no human intervention.  

Professor Corts provided a brief update on the recent judicial review which struck down the Student Choice Initiative (SCI) which had been announced by the provincial government in January 2019.

He noted that by the time the court ruling had been made, fees for the Fall term had already been collected.  The system however was currently suspended awaiting further developments. 

As part of the ensuring discussion, Professor Corts indicated that the opt-out rate had been low, and that universities were awaiting direction with regards to the fees opted out of to date.

There were no additional reports from the Administrative assessors.

11. Date of the Next Meeting

Members were reminded that the next meeting was scheduled for Wednesday, March 4, 2020.

12. Other Business

No other business was noted.

THE COMMITTEE MOVED IN CAMERA.

13. Internal Auditor – Private Meeting

Members of the administration as well as the Committee Secretary absented themselves and the Committee met privately with the Deputy Director of Internal Audit.

14. Committee Members Alone

Committee members discussed topics of interest and concern.

The Committee returned to Closed Session.

The meeting adjourned at 6:15 p.m.