Report: Audit Committee - March 09, 2022

-
Via Virtual Meeting room

REPORT NUMBER 146 OF THE AUDIT COMMITTEE

March 9, 2022

To the Business Board,
University of Toronto

Your Committee reports that it held a virtual meeting on Wednesday, March 9, 2022, at 4:00 p.m. with the following members present:

 
Present:
Joanne McNamara (Chair), Rajiv Mathur (Vice-Chair), Robert Boeckner, Teodora Dechev, Sue Graham-Nutter, Paul Huyer, Rima Ramchandani, Lara Zink

Regrets: None

Non-Voting Assessors:
Alex Matos, Director of Internal Audit
Sheree Drummond, Secretary of the Governing Council
Scott Mabury, Vice President, Operations and Real Estate Partnerships
Trevor Rodgers, Chief Financial Officer

Secretariat:
Timothy Harlick, Secretary

In Attendance:
Bo Wandschneider, Chief Information Officer (for item 2)
Isaac Straley, Chief Information Security Officer (for item 2)
Deyves Fonseca, Associate Director, Information Security Operations (for item 2)
Elizabeth Cragg, Director, Office of Vice President, Operations and Real Estate Partnerships
Daniel Ottini, Deputy Director of Internal Audit 
Pierre Piché, Controller and Director of Financial Services 
Mark Britt, Special Advisor (for item 3)
Madison Kerr, Student (for item 3)
Feng Xu, Student (for item 3)
Diana Brouwer, Ernst & Young 
Joyce Yu, Ernst & Young 


Audit Committee met in Closed Session


ITEM 4 WAS APPROVED BY THE COMMITTEE. ALL OTHER ITEMS ARE REPORTED TO
THE BUSINESS BOARD FOR INFORMATION.

Pursuant to section 6.1 of the Audit Committee Terms of Reference, consideration of items
9 and 10 took place in camera.

  1. Chair’s Remarks

    Mr. Rajiv Mathur, Vice-Chair of the Audit Committee welcomed members and guests to the meeting.  It was noted to members that the Audit Committee Chair, Ms Joanne McNamara had had an unavoidable time commitment with the start of the meeting and so Mr. Mathur would Chair the meeting in her place.
     
  2. Information Security Update: Organizational Structure of the OCISO

    The Chair welcomed Bo Wandschneider, Chief Information Officer, Isaac Straley, Chief Information Security Officer, and Deyves Fonseca, Associate Director, Information Security Operations to the meeting and invited Mr. Straley to offer his presentation to the Committee.

    Mr. Straley provided a presentation on the organizational structure of the Office of the Chief Information Security Officer (“OCISO”), highlighting the following key points:
  • The University’s Information Security Program identified outcomes and risks, protected against security threats, detected security issues, responded to limit impact, and implemented recovery strategies to return to regular operations;
  • The current state of information security at the University;
  • The various information security services provided by the OCISO, which included architecture and visibility, risk and privacy, incident response, research security, information security governance, identity, and education and awareness; and
  • An overview of the staffing levels, reporting structures and operating budget of the OCISO.

    In response to questions asked by members, Mr. Straley provided the following:
  • An update on the ongoing implementation of multi-factor authentication for requirements for faculty, staff and students using University services.
  • That there had been no reported major ransomware attacks at the University in recent years and that his office provided guidance and advice to the University on how to resolve ransomware attacks in the event they occurred.
  • A more detailed explanation on projected budget growth year over year and commented that requests for budget increases to meet objectives were accommodated. The Committee was advised that addressing information security also required the appropriate personnel and capacity to execute given the decentralized natured of the University.
  • That divisions also had funds allocated for information security based on their needs and priorities and that due to the decentralized nature of the University, a collective approach was necessary. Mr. Straley acted as the subject matter expert building cross institutional knowledge on this important topic. 
  • That there were challenges in the IT security field internationally regarding talent acquisition and retention and to address those challenges the University could focus on cross training programs for internal advancement of both students and employees.

    The Chair thanked Mr. Straley for his presentation.
  1. Risk Management Annual Report, 2021

    The Committee received and reviewed the Risk Management Annual Report, 2021. Included in the Report was a risk dashboard that gave Committee members a high-level overview of key risks, risk levels, and the direction in which those risks were trending.

    The Chair welcomed Mark Britt, Special Advisor, along with Madison Kerr and Feng Xu, two Faculty of Law students who were working with Mark as part of their externship in the Office of the Governing Council as observers for this Report.

    Professor Scott Mabury, Vice President, Operations and Real Estate Partnerships reported that the Report of the previous year, in recognition of the significant and non-uniform impact of COVID on staff and at the direction of the President and the Chair of the Governing Council, reported only the top 11 risks and that narratives were also suspended for that report. This year’s Report comprised submissions on all 69 risks as reported by the offices of the Vice-Presidents, the Provost, the Principals at the University of Toronto Mississauga and the University of Toronto Scarborough, the Office of the Chief Financial Officer and the Office of the Governing Council and that the data was collected in four categories: Compliance, Financial, Operational and Strategic.

    In his remarks, Professor Mabury reviewed the top 12 issues based on at least major significance and likely occurrence as follows: 
     
    1. Legal & Regulatory: FIPPA 
    2. Nation State Threats 
    3. Collective Bargaining 
    4. Enrolment 
    5. Social Activism 
    6. Data Security 
    7. Legal & Regulatory: non-compliance with laws/government acts, licensing, etc 
    8. Investment Risk: Capital Market & General Economic 
    9. Reserves 
    10. Individual Behaviour 
    11. Emergency Communications 
    12. Political/Government 


In the ensuing discussion, Professor Mabury advised the Committee on the following:

  • IT risk continued to be the highest risk for his area and was the reason behind establishing CanSOCC (“the Canadian Shared Security Operations Centre”) and further emphasized the benefits of a collective approach by universities to combat issues in cyber security.
  • The University viewed reserves as both an asset and a risk and that using reserves more strategically would result in the reserve risk trending off the report. 
  • That identified risks were discussed regularly at the ‘Head Table’ with the President and Vice-Presidents and that he believed that the risk mitigation strategies for those risks were well resourced.
  • The University continued its efforts to increase the number of countries for international student enrolment as a way of reducing certain reported risks.
  • Those reputational risks and opportunities relating to research and innovation were topics discussed at the Head Table as part of portfolio updates from leadership and were not necessarily captured in the narrative for each risk within the Report.
  • The University was a diverse institution with diverse opinion and perspective on risk and that that was reflected in the management responses in the Report.

    In response to a question regarding oversight of the University Pension Plan (“UPP”) and the 10-year exposure risk to the University, Trevor Rodgers, CFO, highlighted that:
  • The UPP had a separate Board of Trustees, of which the University was a member and had representation.
  • If there was a downturn or shortfall in the UPP within the initial 10-year period, the University would be required to make special payments to offset those shortfalls.
  • The University received regular reports on the UPP and actively monitored the risk.
  • The University had established a special fund in case a payment was required, and that the CFO held that oversight accountability.

    The Chair thanked Professor Mabury for his report.
     
  1. Report of the Previous Meeting: Report 145, December 1, 2021

    The report of the previous meeting was approved. 
     
  2. Business Arising from the Report of the Previous Meeting

    There was no business arising from the report of the previous meeting
     
  3. Reports of the Administrative Assessors

    There we no reports of the Administrative Assessors. 
     
  4. Date of Next Meeting: April 25, 2022, at 4:00 p.m.

    The Chair confirmed that the next meeting of the Committee would be held on April 25, 2022. 
     
  5. Other Business

    There were no items of other business

    The Committee moved in camera.
     
  6. Internal Auditor: Private meeting

    Members of the administration absented themselves and the Committee met privately with the Director and Deputy Director of Internal Audit.
     
  7. Committee Members Alone

    The Committee members met alone. 

    The Committee moved into closed session.

The meeting adjourned at 6:14 p.m.
 

March 10, 2022