Report: Audit Committee - September 20, 2023

Board Room, Simcoe Hall, 2nd floor



To the Business Board,
University of Toronto,

Your Audit Committee reports that it held a meeting in Chairs’ Board Room, 2nd floor Simcoe Hall, on September 20, 2023, at 4:00 p.m. with the following members present:

PRESENT: Joanne McNamara (Chair), Paul Huyer (Vice-Chair), Sandra Hanington (Vice-Chair of Governing Council), Sue Graham-Nutter, Scott MacKendrick, Rajiv Mathur, Rima Ramchandani

REGRETS: Brian Madden

Alex Matos, Director of Internal Audit
Sheree Drummond, Secretary of the Governing Council
Ron Saporta, Acting Vice President, Operations

Trevor Rodgers, Chief Financial Officer

SECRETARIAT:  Timothy Harlick, Secretary

Kristin Taylor, Chief Legal Officer
John Kerr, Director, Risk Management & Insurance
Sanish Samuel, Controller and Director of Financial Services 
Audelyn Budihardjo, Internal Audit Supervisor
Vandana Bhamidi, Senior Auditor
Diana Brouwer, Ernst & Young
Joyce Yu, Ernst & Young

Audit Committee met in Closed Session.  

Pursuant to section 38 of By-Law Number 2,
consideration of items 11 to 12 will take place in camera.


  1. Chair’s Remarks

    The Chair welcomed new and returning members, and guests to the first Audit Committee meeting for the 2023-2024 governance year.  

  2. Reports of the Administrative Assessors

    Mr. Trevor Rodgers, Chief Financial Officer, reported that Ernst & Young had been providing the University with auditing services since 2014 and his team had begun a review of audit services. Mr. Rodgers asked members who would be interested in serving on a working group to support this review to contact the Office of the Governing Council following the meeting.
  3. Update from External Auditor

Mr. Rodgers provided introductory remarks regarding both a data incident that had recently occurred at Ernst & Young (EY) and a potential breach of independence between the University and EY.

Ms Diana Brouwer, EY, provided further detail into the scope of the incident and the actions that had been taken, as well as actions that remained outstanding. The Office of the Privacy Commissioner of Canada had been notified and members of the University community who were affected by the incident would also be notified.

Ms Brouwer also informed the Committee of a potential independence-related breach that occurred between January 2022 to March 2023 where EY provided professional personnel to assist with the configuration and development of new functionality on the ServiceNow platform based on the University’s specific requirements.  She further commented that EY had given significant consideration in reaching the conclusion that, in the Firm's professional judgment, its objectivity and impartiality had not been compromised.


It was clarified that the notice to individuals affected by the data incident would be distributed by EY and that the University had also been involved in developing the communications plan. This had been done out of an abundance of caution as the University was unaware of any actual harm related to the incident.  

  1. Risk Management and Insurance Annual Report, 2022-2023

    Mr. John Kerr, Director, Risk Management & Insurance, provided further comments, highlighting the following main points: 

Ms Kristin Taylor, Chief Legal Officer, introduced the Report, noting that historically this item would have been introduced by Mr. Rodgers, however due to a recent shift in reporting structure whereby Risk Management and Insurance had moved to the Office of University Counsel, Ms Taylor would be responsible for this item moving forward.

  • Over the last year, the University continued to see changes to subscribing insurers, program structure, scope of coverage, and self-insured retentions occasioned by hardening market conditions.
  • The University experienced an overall premium increase of 19.75% year over year, following on significant increases of 16.88% in 2021-22 and 20.16% in 2020-21.
  • The University had loss ratios above 100% on its two largest lines of insurance – property and commercial general liability – which accounted for 65% of the University’s insurance costs.
  • Following the recommendation of a recent external review of the Finance Division, the University had re-entered the Canadian Universities Reciprocal Insurance Exchange (CURIE) effective January 1, 2023. While CURIE premiums would be higher in the initial years, the Reciprocal provided higher insurance limits, lower deductibles, sector-specific coverages, and value-added services.
  • It was expected that CURIE would be able to provide relatively stable premiums, with the added potential of surplus distributions to subscribers based on actual loss experience and investment returns.


    In response to a member’s question regarding CURIE and risk related services, Ms Taylor informed the Committee that CURIE did not provide support for risk management but that they did offer minimal guidance on Enterprise Risk Management frameworks. CURIE had also introduced a network security and privacy liability (i.e. cyber-risk) solution to subscribers.
  1. Update on Risk Reporting

    Mr. Ron Saporta, Acting Vice-President, Operations, provided an update on risk reporting to the Committee. Mr. Saporta re-affirmed that governance oversight of risk was an essential component of the University’s risk management program. It represented a key responsibility of governance and supported the University’s position on the importance of appropriately managing risk. The new risk reporting structure would provide the Committee with a clearer understanding of key institutional risks and emerging risks and the nature and effectiveness of risk mitigation.


    Committee members engaged in a fulsome discussion regarding the identified risks. In particular, the Committee discussed:
  • The current geo-political environment, and in particular, the potential impact of relations between India and Canada and its effect on the University’s international students from that country.
  • The Governments recent comments regarding entry numbers of international students into Canadian universities.
  • Compensation updates given the court’s decision on Bill-124.
  • The added pressures of the housing market for recruitment purposes.

    Mr. Saporta confirmed that the updated risk report would be made available for members at the following Committee meeting.
  1. Presentation: Legal & Regulatory Risk

    Ms Taylor provided the Committee its first presentation on “legal & regulatory risk” as part of the new risk reporting framework to governance.

    Highlights of the presentation included:
  • That there were generally, three types of legal risk; contractual, litigation; and regulatory.  Each resulted in possible legal consequence depending on the actions or inactions of the University.

  • An external report had been commissioned by the President that recommended the creation of a central legal office which would result in a single line of reporting for the University’s lawyers and a coordinated, collaborative, holistic approach to managing the University’s legal risk.
  • In response to that report, the Office of University Counsel (OUC) was established in January of 2022 to be accountable for the provision of legal services to the University of Toronto’s tri-campuses.
  • Under the new risk reporting framework, OUC would further define the identified “legal & regulatory risk” and develop a “top risk” list for ongoing monitoring and reporting to the Audit Committee.


    In response to a member’s question, Ms Taylor described the transition from the previous method of providing legal services to the University to a centralized oversight of legal services. She informed the Committee that the path had been smooth and generally accepted by the various divisions throughout the University. It was also noted that centralizing legal services allowed for more consistent communication and advice to the divisions; greater accountability through reporting mechanisms; and continuous process improvement.

    Ms Taylor further noted the benefits of centralizing legal services with respect to the use of external legal services.
  1. Report of the Previous Meeting – Report Number 153 (June 19, 2023)

    The report of the previous meeting was approved.  
  2. Business Arising from the Report of the Previous Meeting

    There was no business arising from the report of the previous meeting. 
  3. Date of the Next Meeting: November 29, 2023, 4:00 p.m. – 6:00 p.m.

    The Chair confirmed that the next meeting of the Committee would be held on November 29, 2023. 
  4. Other Business

    There was no other business. 

    The Committee moved In-Camera. 
  5. Internal Auditor: Private meeting

    Members of the administration absented themselves and the Committee met privately with Mr. Alex Matos, Director Internal Audit.
  6. Committee Members Alone

    Committee members discussed topics of interest.  

    The Committee returned to Closed Session. 

The meeting adjourned at 6:02 p.m.

September 28, 2023