Report: Audit Committee - June 20, 2022

REPORT NUMBER 148 OF THE AUDIT COMMITTEE

June 20, 2022
 

To the Business Board,
University of Toronto

Your Committee reports that it held a meeting the Board Room, Simcoe Hall, on Monday, June 20, 2022, at 4:00 p.m. with the following members present:
 
 
Present: Joanne McNamara (Chair), Rajiv Mathur (Vice-Chair), Robert Boeckner, Teodora Dechev*, Sue Graham-Nutter, Paul Huyer, Rima Ramchandani*, 

Regrets: Lara Zink

Non-Voting Assessors: Alex Matos, Director of Internal Audit; Sheree Drummond, Secretary of the Governing Council; Scott Mabury, Vice President, Operations and Real Estate Partnerships; Trevor Rodgers, Chief Financial Officer

Secretariat: Timothy Harlick, Secretary

In Attendance: Isaac Straley, Chief Information Security Officer (for items 5 and 6); Jill Kowalchuk, Director, CanSSOC* (for item 5); Pierre Piché, Controller and Director of Financial Services; Daniel Ottini, Deputy Director, Internal Audit; Audelyn Budihardjo, Internal Audit Supervisor;
Diana Brouwer, Ernst & Young; Joyce Yu, Ernst & Young;  Stella Qiao, Ernst & Young *

*Attended remotely

Audit Committee met in Closed Session. 

ITEM 8 WAS APPROVED. ITEMS 2 AND 3 ARE RECOMMENDED TO THE BUSINESS BOARD FOR APPROVAL.  ALL OTHER ITEMS ARE REPORTED TO THE BUSINESS BOARD FOR INFORMATION.

Pursuant to section 6.1 of the Audit Committee terms of reference, consideration of items 12 and 13 took place in camera.

1. Chair’s Remarks
   
   The Chair welcomed members and guests to the final meeting of the governance year and reminded them that the Committee met in closed session and that the materials were confidential. 
    
2. Audited Financial Statements for the Year Ended April 30, 2022
   1. Financial Report Presentation
      
      The Committee received a presentation of the Audited Financial Statements from Mr. Trevor Rodgers, Chief Financial Officer, and Dr. Pierre Piché, Controller and Director of Financial Services. The efforts of the Financial Services team were recognized, as well as the contributions of the Internal Audit Department and the External Auditors in completing the audit successfully. 
      
      The presentation of the Financial Report for the year ended April 30, 2022, highlighted the following: 
      • the University recorded a positive net income of $416 million (10.9% of revenues);
      • the positive net income included funds that had been set aside for future capital projects and other priorities in accordance with multi-year divisional academic plans, resulting in an increase of $184 million in central and divisional reserves;
      • net income also included infrastructure spending that was capitalized and not expensed in the current year, including projects like the UTM Science building, the Schwartz Reisman Innovation Centre West, a new Student Residence at UTSC, the Fitzgerald Building Revitalization, and the UTSC Instructional Centre Phase II; 
      • it was the second year in a row that fundraising pledges exceeded $400 million;
      • ancillary operations saw an increase of $78 million in revenues and significant recovery from the pandemic shortfalls of the prior year; and
      • the University’s net assets increased by $429 million to a total of $8.5 billion. This was net of the amount reported as a deficit ($314 million) largely due to the internal financing of capital construction in accordance with the University’s debt strategy. 
        
        Discussion
        
        Dr. Piché and Mr. Rodgers addressed the following in response to questions from members:
         
      • there had been no major changes in expenses and that 61% of expenses related to salaries. 
      • the debt policy was a percentage of annual expenses and would increase or decrease as expenses increased or decreased.
      • in relation to other universities in Ontario, the financial health indicators approved by Government indicated that University of Toronto had a very strong net income ratio, a healthy primary reserve, and a very low interest debt burden ratio compared to the rest of the province.
      • The current volatility in the markets and its potential impact to the forecast of investment funds for the long-term capital appreciation pool.
      • an overview of the revenues by category and how they tracked compared to previous years -and further discussed the University’s strategies in diversifying international recruitment.
        
        A Supplementary Report was also received by the Committee for information.
   2. External Auditor’s Report on Audit Results
      
      Ms Diana Brouwer, Ms Joyce Yu and Ms Stella Qiao of Ernst & Young presented a high-level overview of the External Auditors’ Report of Audit Results which provided the Committee with a summary of the audit procedures and the discussion with management that supported their unqualified audit opinion.  During the presentation, the following was highlighted: 
      • the changes in the audit strategy were consistent with the audit plan; 
      • areas of audit emphasis included how the University recorded its revenues and accounts for its investments, employee future benefits and capital projects;
      • there were no major deviations from the audit plan and scope during the execution of the audit, and no exceptions noted;
      • the auditors performed additional procedures to satisfy themselves of the authenticity of the documentation provided given this year’s audit was performed remotely; and
      • procedures were conducted to ensure that the disclosure impact of COVID-19 was appropriate.
        
        The Committee agreed with the views expressed by the auditors. Inquiries were also made with respect to the risk of material misstatements due to fraud and suspected fraud.  There were no significant matters that arose from the audit and no corrected or uncorrected errors noted. The Committee was also informed by the auditors that they received excellent and on-going cooperation from management.  All required audit communications were provided to the Committee by the auditors. The Chair confirmed that the Committee was not aware of any concerns of fraud or non-compliance.
        
        The audited financial statements were examined in detail by the Committee, and the audit results indicated that there were no issues to bring to the Committee’s attention.
   3. Legal Claims
      
      The Committee received the 2021-2022 summary of legal actions against the University exceeding $500,000 prepared by the administration.  
      
       
   4. External Auditors: Private Meeting
      
      The Committee moved in-camera.
      
      The Committee met privately with the external with no University staff present.  No issues were identified for the Business Board’s attention. 
      
      Ms. Brouwer was invited to advise of any problems encountered by the auditors, any restrictions on their work, the co-operation received in the performance of their duties by the administration and the Internal Audit Department, and any matters requiring discussion arising from the auditors’ findings.
      
      The Committee returned to closed session.
      
      The Chair reported that there had been no matters arising from the Committee’s in-camera session with the external auditors that would require action.
      
       
   5. Discussion and Recommendation
      
      The Chair thanked Mr. Rodgers and commended the Financial Services team for their work in preparing the financial statements.
      
      On motion duly moved, seconded and carried
      
      YOUR COMMITTEE RECOMMENDED
      
      THAT the University of Toronto audited financial statements for the fiscal year ended April 30, 2022 be approved.
       
3. Appointment of the External Auditors for 2022-2023
   
   Dr. Piché informed the Committee of the process followed in gathering and compiling feedback about the external auditors. Dr. Piché reviewed the Auditor Assessment Template and highlighted the following areas of the evaluation: 
   1. Professional Skepticism and Objectivity
   2. Quality of Engagement Team
   3. Quality of Communications
   4. Quality of Service 

Following these introductory remarks regarding the review process, Ernst & Young excused themselves and discussions of the appointment of the external auditor for the 2022-2023 year continued in their absence. 

Mr. Rodgers reported that the administration was very pleased with the work of Ernst & Young. He commented on their excellent knowledge of the university sector, their responsiveness, proactive approach, and their high levels of technical abilities.   

There were no questions from members.

On motion duly moved, seconded and carried

YOUR COMMITTEE RECOMMENDED 

THAT Ernst & Young LLP be re-appointed as external auditors of the University of Toronto for the fiscal year ending April 30, 2023.
 

4. Internal Audit Annual Report (to April 30, 2022)
   1. Annual Report, 2021-2022
      
      Mr. Alex Matos, Director, Internal Audit, highlighted the following key points from the Internal Audit Annual Report Summary for the year ended April 30, 2022:  
      • Internal Audit Services be area included Central Administration 51%, Academic Units 36%, and Student Services 13%.
      • Internal Audit had provided Operational Audits, Compliance Auditing, Information System Audits, Advisory and other related services, and Follow-up Reviews with total budgeted hours of 12,500.
      • risks assessed were categorized in three main areas: financial risks, operational risks and compliance risks.
      • there had been unexpected turn over in the Audit Department which was being addressed through recruitment.
         
   2. Audit Plan, 2022-2023
      
      Mr. Matos reviewed the Audit Plan for 2022-2023 with the Committee, highlighting the following:
      • The plan had been informed by discussions with management and reflected a shift toward increased levels of partnership and collaboration with the University community across the tri-campus.
      • There would be 11,000 direct audit hours from a staff complement of 10. FTE.
      • The focus would be on enterprise, divisional and departmental risks, and would include academic, administrative and student services functions on the three campuses; Department audits, Continuous Audit, Restricted Funds Compliance Audit, Information Systems reviews, Follow-up reviews, and Investigations and Advisory Services. 
      • IT audits would be selected from a combination of the University’s Annual Risk Report, the Internal Audit Divisional IT Survey conducted in 2017 and discussions with institutional IT leadership.
        
        In response to a member’s question about exceptions related to the Tri-agency Expenditure Compliance Assessment Program (RECAP), Mr. Matos and Mr. Ottini noted the majority related to documentation reporting errors which could be corrected through discussion and were on the less significant side of risk.
5. Information Security Update: Canadian Shared Security Operations Centre (CanSSOC)
   
   The Chair welcomed Mr. Isaac Straley, Chief Information Security Officer and Ms Jill Kowalchuk, Director, Canadian Shared Security Operations Centre (CanSSOC). Ms Kowalchuk provided a presentation on CanSSOC highlighting:
   • The cybersecurity challenges faced by Canadian post-secondary institutions. In particular, that risks had begun outpacing the ability to fund and implement solutions; universities had become more interconnected and therefore shared risks were increasing; there is insufficient cybersecurity expertise; and the pandemic had exacerbated these issues.
   • CanSSOC had started as a proof of concept among six universities: University of British Columbia, University of Alberta, University of Toronto, McMasters, Ryerson, and McGill;
   • 14 Canadian research universities had since partnered with CanSSOC.
   • 30 national and provincial partners had collaborated on shared projects, integration, and operations, and four global partners had signed active threat sharing agreements: Canada, the United Kingdom, Australia, and the United States. 
   • The many services provided by CanSSOC one of which included “Threat Feed” - a highly successful program that delivered timely threat intelligence to 152 universities and colleges.

In response to a member’s question, Ms. Kowalchuk commented that CanSSOC relied on institutions reporting security incidents and that it was developing programs so that it could collect institutional security logs in real time and act accordingly through automation to better defend against cyber attacks. 

6. Information Security Update: Key insights from the Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA): A Window into University Risk
   
   Mr. Straley provided a presentation on key insights from the Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA), highlighting the following points:
   • Completion of DAI-IRSA’s was requirement through university policy;
   • DAI-IRSA was a valuable tool that provided visibility into security risk;
   • Areas of risk and their levels of prioritization;
   • While the University continued to make progress, information management remained below targets set by the University’s Information Security Council; and
   • Increased active participation in DAI-IRSA from both academic and administrative departments improved the program and further participation could be achieved through improved risk management guidance and support from leadership.
     
     In response to a member’s question about financial support for information security, Mr. Straley commented that information security had continually received increased funding commensurate to what was requested and could be executed.
7. Report of the Previous Meeting: Report 147, April 25, 2022
   
   The report of the previous meeting was approved. 
    
8. Business Arising from the Report of the Previous Meeting
   
   There was no business arising from the report of the previous meeting.
    
9. Reports of the Administrative Assessors
   
   There were no additional reports from the Committee’s Administrative Assessors.
    
10. Date of the Next Meeting: September 21, 2022, at 4:00 p.m.
    
    Members were reminded that the next meeting was scheduled September 21, 2022.
     
11. Other Business
    
    There was no other business.
    
    The Chair thanked, members, assessors, the internal auditors, and the Secretariat for their time and efforts devoted to the Committees throughout the year. 
    
    THE COMMITTEE MOVED IN CAMERA.
     
12. Internal Auditor – Private Meeting
    
    Members of the administration absented themselves and the Committee met privately with the Director of Internal Audit.  There were no issues to be brought to the Business Board’s attention from this meeting. 
     
13. Committee Members Alone
    
    Committee members discussed topics of interest and concern.
    
    The Committee returned to Closed Session.

The meeting adjourned at 6:04 p.m.

June 21, 2022