Report: Audit Committee - April 30, 2025

Print as PDF
-
Chairs' Boardroom, Simcoe Hall, 2nd Floor

REPORT NUMBER 163 OF THE AUDIT COMMITTEE

WEDNESDAY, APRIL 30, 2025

To the Business Board,
University of Toronto,

Your Audit Committee reports that it held a meeting in Chairs’ Board Room, 2nd floor Simcoe Hall, on April 30, 2025, at 4:00 p.m. with the following members present:

PRESENT: Joanne McNamara (Chair), Paul Huyer (Vice-Chair), Sandra Hanington (Vice-Chair of Governing Council), Samuel Elfassy, Scott MacKendrick, Brian Madden, Rima Ramchandani

REGRETS: Sheree Drummond (Secretary of the Governing Council), Scott Mabury (Vice President, Operations & Real Estate Partnerships), Sue Graham-Nutter, Rajiv Mathur

NON-VOTING ASSESSORS: Trevor Rodgers* (Chief Financial Officer), Alex Matos (Executive Director, Internal Audit)

SECRETARIAT: Timothy Harlick (Secretary)

IN ATTENDANCE: Elizabeth Cragg* (Director, Office of the Vice-President, Operations & Real Estate Partnerships), Sanish Samuel (Controller and Director of Financial Services), Donna Kidwell (Chief Information Officer), Deyves Fonseca, (Acting Chief Information Security Officer), Audelyn Budihardjo, Associate Director, Internal Audit, Kathi Aspros (Ernst & Young)

*Joined remotely

The Audit Committee met in Closed Session. 

Pursuant to section 38 of By-Law Number 2,
consideration of items 10 and 14 took place in camera.

CLOSED SESSION

  1. Chair’s Remarks


    The Chair welcomed members and guests to the meeting.
  2. Reports of the Administrative Assessors

The Committee moved in camera.

On behalf of Professor Scott Mabury, Vice-President, Operations & Real Estate Partnerships, Sanish Samuel, Controller and Director of Financial Services, reported on a confidential matter.

The Committee returned to closed session.

  1. Report on Non-audit Services by the External Auditors for the period from October 1, 2024 to March 31, 2025


    The Chair noted that in accordance with thePolicy on the Use of the External Auditor for Non-Audit Services, the Audit Committee receives from the administration a quarterly report, resulting in an annual report. Mr. Samuel commented that the Report provided details of the payments made to the external auditors with respect to non-audit services for the period of October 1, 2024, to March 31, 2025.

    There were no questions by members.
  2. Draft Audited Financial Statements and Notes - April 30, 2025


    The Committee received the Draft Audited Financial Statements and Notes - April 30, 2025, for information. The Chair explained that the Committee would be asked at its June 16, 2025, meeting to recommend the full Audited Financial Statements to the Business Board for approval.Mr. Samuel noted that the draft notes reflect several updates from the prior year, including disclosures for newly consolidated entities, revised interest rate information, and expanded risk management details.

    Discussion

    In response to a question posed by Mr. Samuel, the Committee agreed to a recommended approach in note 4 to clarify the University’s role as general partner of the UTSC Residence Limited Partnership and to explain how revenue sharing will be recorded.
  3. Internal Audit Updates
    1. Audit Strategic Plan 2025-2030, Vision 2030
    2. Internal Audit Plan, 2025-2026


      The Committee received both the Annual Internal Audit Strategic Plan - Vision 2030 and the 2025-2026 Annual Internal Audit Plan, for information. Alex Matos, Director, Internal Audit presented both items.

      Highlights of the strategic plan focused on aligning assurance and advisory activities with university strategy, building tools for service delivery, and developing the team’s skillset.

      High lights of the 2025-2026 Audit Planned included assurance and advisory audits across functions on all campuses, continuous testing of operating and restricted research funds, follow-up reviews, management-requested work, training, and committee support. Assurance projects include procurement, contract management, conflict-of-interest policies, insider threat controls, IT general controls, space utilization, and treasury services. Management-requested tasks include advisory input to the Cyber Incident Response Working Group, the Finance Advisory Council, and an off-cycle payroll review.

      Other activities described by Mr. Matos involve supporting the year-end external audit, enrollment audits, training on roles, student society finance reviews, and fraud investigations. Priorities were set based on the Risk Working Group’s assessment of top exposures, divisional consultations, peer forums, and coordination with related assurance providers. A multi-year roadmap shows how audit work may shift through 2027-2028.

      Discussion

      Questions arose about expanding audit coverage to address the university’s increasingly complex financial structure and associated risks; Mr Matos confirmed future reviews will target those areas as risks evolve. He described stakeholder engagement in setting priorities, using the Office of the University Counsel’s regulatory and legal risk framework as shown in the Risk Assessment Table.

      Members questioned whether increased funding could support additional engagements and Mr Matos affirmed that, with resources already appropriately directed to key risk areas, any expansion would prompt a reevaluation of priorities and reallocations. The shift toward analytics was noted and current staffing meets existing priorities but will be reviewed if demands change.

      The Chair thanked Mr. Matos for his presentation.
  4. Report of the Previous Meeting – Report Number 162, March 5, 2025

    The report of the previous meeting was approved.
  5. Business Arising from the Report of the Previous Meeting


    There was no business arising from the report of the previous meeting.
  6. Date of the Next Meeting: June 16, 2025, 4:00 p.m. – 6:00 p.m.


    The Committee was reminded that its next meeting would be held on June 16, 2025.
  7. Other Business


    There was no other business.

The Committee moved In-Camera.

  1. Annual Report: Information Security and the Protection of Digital Assets


    Members received the Annual Report on Information Security and the Protection of Digital Assets. The Chair welcomed Deyves Fonseca, Acting Chief Information Security Officer, and Donna Kidwell, Chief Information Officer, to present the Report.

    The Chair reminded the Committee that this report is submitted under the Policy on Information Security and the Protection of Digital Assets and stressed that a thorough review is central to the Committee’s oversight role.

    Members acknowledged that the information security landscape is growing more complex and emphasized the need to maintain focus on cyber risk mitigation, preparedness, and resilience. The Committee affirmed support for the University’s efforts to build a security aware culture, implement secure practices across teaching, research, and administration, and meet evolving regulatory and sponsor requirements.
  2. Risk Report 2025


    Members received the Risk Report 2025, for information. The Chair welcomed Elizabeth Cragg, Director, Office of the Vice President, Operations & Real Estate Partnerships, who presented the Report.

    The Report consolidated the University’s highest residual risks and outlined the governance model for monitoring and updating those risks. Ms Cragg noted this served as a foundational report and that going forward dashboards on risks would be provided regularly.
  3. Risk Presentation: Collective Bargaining


    Professor Kelly Hannah-Moffat, Vice-President, People Strategy, Equity & Culture, provided a presentation on the institutional risk related to Collective Bargaining.
  4. Internal Auditor: Private meeting


    Members of the administration absented themselves and the Committee met privately with Mr. Matos.
  5. Committee Members Alone


    Committee members discussed topics of interest.

The Committee returned to Closed Session.

The meeting adjourned at 6:08 p.m.
 

May 15, 2025