Report: Audit Committee - April 15, 2026

REPORT NUMBER 168 OF THE AUDIT COMMITTEE

Wednesday, April 15, 2026

CLOSED SESSION

1. Chair’s Remarks
   
   The Chair welcomed members and guests to the meeting.
2. Reports of the Administrative Assessors

The Committee moved In Camera. 

Guests and external auditors left the meeting.

Kristin Taylor, University Counsel and Chief Legal Officer, reported on an ongoing legal matter.

The Committee returned to Closed Session.

Guests and external auditors rejoined the meeting.

3. Draft Notes to the Audited Financial Statements – April 30, 2026
   
   Sanish Samuel, Controller and Director of Financial Services, presented the Draft Notes to the Audited Financial Statements. He highlighted two major drivers of changes from last year’s Notes: (i) the first year of operations of Spadina Sussex University Residence Co-tenancy, the joint venture which operates Oak House Student Residence; and (ii) the University’s adoption of Accounting Guideline AcG-20, Customer’s Accounting for Cloud Computing Arrangements (AcG-20).
   
   With respect to Oak House, as a not-for-profit organization, the University could use either the equity method or proportionate consolidation to account for its investment. Unlike other entities in which it has a lesser interest, the University chose to account for its investment in Oak House using proportionate consolidation based on its degree of economic interest and operational integration with the University’s core activities. In response to a member’s question, Mr. Samuel advised that under the equity method, the University’s investment is shown as a single line item on the balance sheet, with changes to its equity share included in investment income on the statement of operations, rather than including the University’s pro rata share of assets, liabilities, revenues or expenses on a line-by-line basis in the financial statements.
   
   In adopting AcG-20, Mr. Samuel advised the Committee that the University made the accounting policy decision to capitalize directly attributable expenditures on implementation activities when the arrangement is a software service. The asset for implementation of software services is expensed using the straight-line method over the expected period of access to the software services. He noted that AcG-20 is being adopted retrospectively and is not expected to have a material impact on the financial statements.
   
   A discussion ensued on the student information system, which could be a significant IT investment that may be captured by AcG-20 in future years. Professor Mabury provided the Committee with a high-level overview of the approach to updating and maintaining the student information system since 2009. In response to a member’s question, Mr. Samuel advised that contract terms would be considered in determining the period of access to the software services over which the capitalized costs would be expensed under AcG-20.

4. Internal Audit Plan 2026-2027
   
   Alex Matos, Executive Director, Internal Audit, presented the Internal Audit Plan 2026-2027. He provided an overview of the function of Internal Audit and the context in which it operates as a key component of the three lines of defense model. He highlighted the importance of Internal Audit’s independence and objectivity as well as its provision of strategic support and advice. Mr. Matos advised the Committee that the Internal Audit Plan 2026-2027 is strongly aligned to the top risks identified by the University’s Risk Assessment Working Group and takes into account broader trends across the higher education sector. He highlighted areas of focus for 2026-2027: IT, process effectiveness, attitudes, behaviour and culture (“the ABCs”), and construction.
   
   Members discussed the Internal Audit Plan 2026-2027. In response to a member’s question, Mr. Matos discussed trends surfaced through discussions with University leadership regarding consistency of offboarding processes, particularly for systems with financial impact or access to sensitive information. In response to a follow-up question, Mr. Matos advised that engagements not scheduled in the Plan are triaged based on a broad set of criteria including tri-campus impact. In response to a member’s question, Mr. Matos confirmed that when subject matter expertise is required for an engagement, in-house resources are used. Expanding on the ABCs, Mr. Matos clarified that Internal Audit would not be engaging in audits of culture per se, but might review data to determine if outcomes are being driven by patterns of behaviour. In response to a final question, Mr. Matos discussed time allocated for following up on previously issued action plans, how the 2026-2027 Plan may shift in response to ad-hoc engagements, regular triage and re-prioritization, and Internal Audit’s approach to cost effectiveness. He noted that a report will be presented next cycle that will provide further insight into several of these matters, including follow-up actions.

CONSENT AGENDA

5. Report on Non-audit Services by the External Auditors for the period from October 1, 2025 to March 31, 2026
   
   The report was received for information.
6. Report of the Previous Meeting – Report Number 167 (February 25, 2026)
   
   The report of the previous meeting was approved.  

7. Business Arising from the Report of the Previous Meeting
   
   There was no business arising from the report of the previous meeting. 

8. Date of the Next Meeting: June 17, 2026, 4:00 p.m. – 6:00 p.m.

END OF CONSENT AGENDA

9. Other Business
   
   There was no other business. 

The Committee moved In Camera.

10. Annual Report: Information Security and Protection of Digital Assets
    
    The Chair welcomed Donna Kidwell, Chief Information Officer and Nathan Corwin, Chief Information Security & Digital Trust Officer, to the meeting. He noted that the Annual Report on Information Security and Protection of Digital Assets is presented annually to the Committee, along with the Planning and Budget Committee, in accordance with the Policy on Information Security and the Protection of Digital Assets.
    
    The Committee was advised that AI is rapidly increasing the scale and sophistication of cyber attacks. Mr. Corwin outlined sources of vulnerability for the Committee and discussed the current state of cybersecurity assessments at the University. Cybersecurity training rates were shared as was the introduction of the Privacy Quest tool. He also commented on the cybersecurity implications of the University’s interest in grants in high-security research areas such as defense or nuclear.
    
    In the discussion that followed, the Committee considered the current state of cybersecurity at the University, its desired state of maturity and acceptable levels of residual risk. Controls and compliance were discussed, as was the establishment of new metrics and baselines. The Committee expressed strong interest in receiving further updates from the Chief Information Security & Digital Trust Officer.
11. Risk Dashboards
    
    Kristin Taylor reported on the most recent meeting of the Risk Assessment Working Group and the changes to risk assessments since her last report to the Audit Committee on February 25, 2026. She advised the Committee that the Decline in Research Funding Risk was downgraded from High to Major, Threats to Safety On Campus & Online was downgraded from High to Major, and Threats to Institutional Autonomy was increased from Moderate to Major. She noted that Costas Catsaros, Executive Director, Project Development & Controls, UPDC had joined the Working Group, bringing valuable construction and real estate expertise to the table. Nathan Corwin has also joined the Working Group.
    
    The Committee briefly discussed the report and the nature of the Threats to Institutional Autonomy Risk. Ms. Taylor reminded the Committee that following the report next cycle, risk reporting would change as part of the ERM Program’s evolution.

12. Risk Presentation
    
    The Chair welcomed Ron Saporta, Chief Operating Officer, who delivered a presentation on deferred maintenance risk.
    
    Mr. Saporta discussed the tri-campus deferred maintenance cost of $1.5 billion, $1.3 billion of which is attributable to assets on the St. George Campus. He discussed the delta between the investment the University was making in deferred maintenance and provincial average contributions that led to Project RISE - the $300 million investment approved by the Governing Council. He described the risk-based prioritization model that was developed in 2019 to triage and assess how deferred maintenance funds could be spent most impactfully to mitigate risk. Mr. Saporta discussed the risk horizon, noting the challenges and cost impacts from climate change, as well as peaks in upcoming deferred maintenance costs attributable to the post-war and early 2000s construction booms.
    
    In response to a member’s question, Mr. Saporta clarified that the priority classifications in the mandatory reporting to the Ministry of Colleges, Universities and Research Excellence on building costs are distinct from the risk assessments conducted via the RISE program. The Committee discussed the assessed risk level of the deferred maintenance risk and the adequacy of funding over the short- and medium-term.

13. Internal Auditor: Private Meeting
    
    All attendees except Committee members left the meeting. The Committee met privately with Alex Matos, Executive Director, Internal Audit.
14. Committee Members Alone
    
    Committee members discussed topics of interest.

The Committee returned to Closed Session. 

The meeting adjourned at 6:16 p.m.

April 20, 2026