Report: Audit Committee - March 4, 2020

-
Simcoe Hall, 27 King’s College Circle, Board Room, 2nd Floor

REPORT NUMBER 136 OF THE AUDIT COMMITTEE

To the Business Board,
University of Toronto

Your Committee reports that it met on Wednesday, March 4, 2020, at 4:00 p.m. in the Governing Council Boardroom, Simcoe Hall, with the following members present:

Christopher Thatcher (Chair), Janet Ecker (Vice-Chair)*, Robert Boeckner, Kathryn Jenkins, Andrew Szende

REGRETS:
Sue Graham-Nutter

NON-VOTING ASSESSORS:

Sheila Brown (Chief Financial Officer), Sheree Drummond (Secretary, Governing Council), Scott Mabury (Vice President, Operations and Real Estate Partnerships)

SECRETARIAT:
David Walders

IN ATTENDANCE:
Diana Brouwer (Ernst & Young), Audelyn Budihardjo (Supervisor, Internal Audit), Elizabeth Cragg (Director, Office of the Vice-President, Operations and Real Estate Partnerships), Jeff McIlravey (Internal Audit), Daniel Ottini (Deputy Director, Internal Audit), Pierre Piché (Controller and Director of Financial Services), Isaac Straley (Chief Information Security Officer)

*via conference call

The Audit Committee met in Closed Session.

ITEM 2 WAS APPROVED. ALL OTHER ITEMS ARE REPORTED TO THE BUSINESS BOARD FOR INFORMATION.

Pursuant to section 6.1 of the Audit Committee Terms of Reference, consideration of items 10 and 11 took place in camera.


1. Chair’s Remarks

The Chair welcomed members and guests to the meeting and reminded those in attendance that the Committee meets in closed session.

2. Report of the Previous Meeting

Report Number 135, from the meeting of December 3, 2019, was approved.

3. Business Arising from the Report of the Previous Meeting

There was no business arising from the report of the previous meeting.

4. Risk Assessment Report 2019

Professor Mabury provided highlights of the Risk Assessment Report, 2019. He summarized the process undertaken to compile the report, and commented on the benefits of the expanded reporting pool and the strengthened narratives this provided for each identified risk. He drew members’ attention to the fact that overrides were used in the report to weigh those with institutional responsibility for the risk more heavily than others or, in some cases, to ensure that a risk was not deemphasized due to particular submissions. He thanked Ms Elizabeth Cragg for her extensive work on the report, and noted that ongoing information and training sessions were held with new and current respondents from those portfolios that provided centralized services. A review of the 2019 Report highlights, and of the reporting process, was scheduled for May 8, 2020.

In his remarks, Professor Mabury addressed the 11 most critical risks, that had been identified in the Report:

  1. Social Activism
  2. Nation State Threats
  3. Enrolment
  4. Data Security
  5. FIPPA breaches
  6. Collective Bargaining
  7. Reserves
  8. Emergency Communication
  9. Individual Behaviour
  10. System Development
  11. Political Government

Professor Mabury also touched upon several other risks, including Capital Projects, Faculty Recruitment and Retention and Health and Safety. He also expressed interest in reviewing the narrative component of the Report (wherein each portfolio was asked to provide a narrative for an actual risk managed in their portfolio) to ensure that these narratives continued to add value.

In the discussion that followed, members applauded the report and commented on the value of the narratives and urged their continued inclusion in the report. A member commented on that, in some cases, the narratives were rather granular and could be strengthened if they encapsulated broader, institutional level risk and proposed responses. Ms Cragg replied that the need for wider consultation between respondents both within and across portfolios, would be a main focus of the annual report review meeting with respondents, scheduled for May 8th. In reply to another members question regarding a 50% increase in buildings at the University over the next 15 years, Professor Mabury replied that the additional space was required to support additional students including graduate students, new faculty hires and new programs at the University. A member inquired about the fact that, year over year, some risks had increased. Professor Mabury responded that challenging incidents at the University during the fall had contributed to increased risk in certain areas. Finally, Professor Mabury noted that the University was currently monitoring the COVID-19 outbreak very closely in terms of assessing risk and strategizing appropriate responses, should they be necessary.

The Chair thanked Professor Mabury and Ms Cragg for their work on this report.

5. Update to the Policy on Information Security and the Protection of Digital Assets

Mr. Isaac Straley, Chief Information Security Officer, provided an overview of changes to the Policy on Information Security and the Protection of Digital Assets which reflected changes in the organization of the Information Security portfolio, most notably the appointment of the institutional Chief Information Security Officer, and the establishment of the Information Security Council.

There were no questions from members.

6. Information Security Update

Mr. Isaac Straley provided an update, noting that the external assessment of the University’s overall security program had been completed and the final report of that assessment would be available to the Committee at the April 27th 2020 meeting. The assessment had engaged Chief Security Officers from other universities as well as the University’s external auditor. A preliminary assessment of the data revealed security gaps in several areas that needed to be addressed. A deeper dive would be required to more fully understand these concerns and how to address them.

In reply to a member’s question about the granularity of the assessment, Mr. Straley noted that the report would provide a high level overview, and that the next step would be to undertake a close assessment of individual units. Information Risk Self Assessments were being developed within units to assist in this process.

The Chair thanked Mr. Straley for his report.

7. Reports of the Administrative Assessors

There were no reports from the Administrative assessors

8. Date of the Next Meeting - Monday, April 27, 2020 at 12:00pm – 2:00pm (Council Chamber)

Members were reminded that the next meeting was scheduled for Monday, April 27, 2020, noting a change from the usual meeting time to 12:00 p.m. – 2:00 p.m., and room change to the Council Chamber

9. Other Business

No other business was noted.

The Committee Moved In Camera.

10. Internal Auditor – Private Meeting

Members of the administration as well as the Committee Secretary absented themselves and the Committee met privately with the Director of Internal Audit.

11. Committee Members Alone

Committee members discussed topics of interest and concern.

The Committee returned to Closed Session.

The meeting adjourned at 5:50 p.m.