Report: Audit Committee – September 9, 2019

-
Simcoe Hall, 27 King’s College Circle, Board Room, 2nd Floor

REPORT NUMBER 134 OF THE AUDIT COMMITTEE

To the Business Board,

University of Toronto

Your Committee reports that it met on Tuesday, September 9, 2019, at 4:00 p.m. in the Governing Council Boardroom, Simcoe Hall, with the following members present:

Present:
Christopher Thatcher (Chair), Janet Ecker (Vice-Chair), Robert Boeckner, Sue Graham-Nutter, Kathryn Jenkins, Andrew Szende

NON-VOTING ASSESSORS:
Mark L. Britt, Director, Internal Audit, Sheila Brown, Chief Financial Officer, Kenneth Corts, Acting Vice President, Operations, Sheree Drummond, Secretary, Governing Council

SECRETARIAT:
Tracey Gameiro, Audit Committee

IN ATTENDANCE:
Diana Brouwer, Ernst & Young, John Kerr, Director, Risk Management & Insurance, Daniel Ottini, Deputy Director, Internal Audit, Pierre Piché, Controller and Director of Financial Services, Isaac Straley, Chief Information Security Officer, Bo Wandschneider, Chief Information Officer


Audit Committee met in Closed Session.

ITEM 2 WAS APPROVED. ALL OTHER ITEMS ARE REPORTED TO THE BUSINESS BOARD FOR INFORMATION.

Pursuant to section 6.1 of the Audit Committee Terms of Reference, consideration of items 10 and 11 took place in camera.

  1. Introduction and Chair’s Remarks

The Chair welcomed back returning members, new member Professor Ken Corts, (who replaced Professor Scott Mabury as Vice-President, University Operations until December 31, 2019), as well as John Kerr of the Office of Insurance and Risk Management, and Daniel Ottini, of Internal Audit. He offered a brief overview of the Committee and reminded members that the Committee conducted meetings in closed session and that meeting materials were confidential.

  1. Report of the Previous Meeting
    Report Number 133, from the meeting of June 17, 2019, was approved.
  1. Business Arising from the Report of the Previous Meeting
    There was no business arising from the report of the previous meeting.
  1. Audit Committee

a. Terms of Reference
b. 2019-2020 Calendar of Business

The Chair reviewed the Committee’s Terms of Reference and Calendar of Business for 2019-2020.

In response to a member’s questions regarding risk management and the scope of the Committee’s role, the Secretary to Governing Council, Ms. Sheree Drummond acknowledged that the areas of risk had expanded and that the function of the Committee was to ensure that their oversight was comprehensive. She confirmed that while areas of risk were constantly re-assessed, no formal adjustments to the Audit Committee’s Terms of Reference were required at this time.

  1. Risk Management and Insurance Annual Report 2018-2019

The Chair noted that the Risk Management and Insurance Annual Report had previously been brought forward in Cycle 6, but that a decision had been made the year previous to move it to Cycle 1 to allow more time for discussion.

Chief Financial Officer Sheila Brown provided an introduction to the Risk Management and Insurance Annual Report 2018/19, noting that the report had been consolidated and reformatted to provide a more comprehensive discussion of trends in the insurance industry, how these trends had impacted the University’s purchasing activity, how premiums and losses interacted with each other, and further clarity on the University’s claims experience.

Following her introductory remarks, Ms. Brown invited Mr. John Kerr, Director of Risk Management and Insurance to summarize the key areas of the Report.

Mr. Kerr expanded on Ms. Brown’s comments and explained that this year’s report had been focused to address:

  1. the University’s approach towards insurance purchasing and its involvement with the Canadian Universities Reciprocal Insurance Exchange (CURIE) and the commercial insurance markets;
  2. recent insurance industry underwriting experience as background and context to the University's own purchasing activity;
  3. the property and casualty insurance portfolio maintained by the University;
  4. a year over cost comparison by line of insurance, provided to illustrate the extent of pricing changes by line and overall;
  5. claim experience by line of insurance;
  6. premium and claims experience related to user directed insurance purchase; and
  7. novel risk management cases.

Highlights of Mr. Kerr’s report included:

  • the University’s property and liability rates remained unchanged;
  • main property policy premiums increased to reflect an increase in the University’s insured values;
  • liability premiums were flat year over year;
  • cost of the commercial crime policy declined slightly due to a remarketing effort;
  • renewal with property and liability insurers had been challenging with an overall increase in excess of 10% for the 2019-20 policy year, due to the combined effect of a hardening market and the University’s deteriorating loss experience;
  • between 2017/18 and 2018/19 the University experienced an overall premium increase of just under 5%;
  • water damage continued to be the most frequent cause of loss;
  • the University’s portfolio loss ratio was elevated with individual policy loss ratios above 40% on five of nine lines of insurance purchased;
  • the University’s seven year loss ratio for premiums and claims related to the user directed insurance purchase of course of construction or builders risk and wrap up liability insurance was above 100%;over the past seven years the University had purchased project specific insurance for twenty-eight projects;
  • higher rates and longer turn around times to procure course of construction insurance were expected.

In reply to a question from a member regarding how coverage amounts and deductibles were determined, Mr. Kerr explained that these were established by metrics calculated by insurers. With respect to intangibles such as malpractice or cyber security, Mr. Kerr added that benchmarking and reference to trends within the legal environment were part of this assessment. He concluded by saying that he was comfortable with the limits in place.

When discussing computer fraud and cyber ransom demands, Mr. Kerr indicated that more robust insurance coverage for IT security was being explored together with the Office of the Chief Information Security Officer.

In view of the hardening market and the University’s departure from the CURIE, a member suggested whether there was any merit to looking outside the university sector for other reciprocal models. In reply, Mr. Kerr explained that in developing these models there had to be some commonality of risk. He added that the homogeneity allows members more control and flexibility with regards to the risks shared through the reciprocal that are unique to the operations of its members.

In response to a question as to how Hurricane Dorian had influenced the market in general, Mr. Kerr acknowledged that the industry could be reactionary and it would not be surprising to see the impact of Dorian cited as support to substantiate further increases.

Responding to a question from the Chair, Mr. Kerr noted that should one of the engineering firms or other contractors engaged by the University become insolvent, coverage through surety bonding and insurance was available. He added that performance bonding insurance was intended to provide a source of funds in the event that the owner/insured had to source another general contractor.

In closing, Mr. Kerr postulated that while not as significant as the double-digit increase experienced this past year, further market driven increases were expected.

The Chair thanked Kerr for all his work and the comprehensiveness of his report.

  1. Information Security Update

The Committee welcomed Chief Information Security Officer, Mr. Isaac Straley and invited him to provide an update on information technology (IT) and its associated security risks at the University.

Mr. Straley’s presentation included an overview of the following:

  • issues and risks continued to be tracked and while mitigation efforts were in progress, there remained areas of substantial risk;
  • work was being done towards having potential risk areas articulated in a more meaningful way to the community;
  • the external assessment of the University’s overall security program was in progress, with the hope to have a full report by December, 2019;
  • unknown data repositories remained the top priority in terms of issues and risks;
  • training on data classification was being conducted with the hope of seeing a greater inventory to help direct mitigation efforts;
  • resources were needed to bolster safeguards against credit card security;
  • the expansive travel portfolio and amount of research conducted by the University made the conversation about ‘nation state threats’ (e.g. espionage, intellectual property threat) a complex but necessary conversation;
  • because of the distributed nature of the University there were challenges in detection and response strategies;

The following were identified as the portfolio’s priorities for 2019-2020:

    • the risk assessment program - to measure where the University was at, what it could be doing, identifying gaps, and assisting divisions develop plans;
    • multi-factor authentication (user authentication) - aimed at making security empowering so as to improve the user experience;
    • the vulnerability management program;
    • incident response playbooks - identified as a low cost but effective way to address detected security issues;

In reviewing the external security assessment process, Mr. Straley described the process as a hybrid approach engaging both an auditor (Ernst and Young), as well as several Chief Information Security Officers from other leading universities to normalize the results.

In his concluding remarks, Mr. Straley stressed the need for increased investments in IT security.

In response to a member’s question regarding resources, Mr. Straley indicated that there was a strong appetite from the community and support to develop a clear road map to increase security at all levels, both centrally and at the divisional level. While some investments had been made, the challenge remained gathering more data to help guide and lead investments forward.

Mr. Straley took some time to address a member’s concern regarding backup infrastructure. He acknowledged this was a complex area to address given the variance in backup systems between the central and divisional levels, but indicated that once critical assets were identified, comprehensive backup strategies could be developed.

Addressing the question of shared services, Mr. Straley confirmed that more shared services projects would be developed, but pointed members to the challenges of the intellectual property aspects of this collaboration.

Members were appreciative of all the information provided by Mr. Straley, as well as the continued efforts of the IT security team. The Chair thanked Mr. Straley for his report and noted for members that a more in-depth conversation with the IT security team would follow in December.

  1. Reports of the Administrative Assessors

There were no reports from the administrative assessors. At the request of the Chair, Ms. Sheree Drummond, Secretary to Governing Council, advised members that the administration was in the process of bringing forward the proposal for the University Pension Plan Ontario for information and discussion to the appropriate governance bodies in Cycle 1. The information session would provide governors with an off-line opportunity to ask questions and seek any necessary clarity before the item was submitted in Cycle 2 for consideration by the Governing Council at its December 12, 2019 meeting.

  1. Date of the Next Meeting

Members were reminded that the next meeting was scheduled for Tuesday, December 3, 2019, 4:00– 6:00 p.m.

  1. Other Business

No other business was noted.

The Committee Moved In Camera.

  1. Internal Auditor – Private Meeting

Members of the administration as well as the Committee Secretary absented themselves and the Committee met privately with the Director of Internal Audit.

  1. Committee Members Alone

Committee members discussed topics of interest and concern.

The Committee returned to Closed Session.

The meeting adjourned at 5:34 p.m.