Report: Audit Committee - September 18, 2024

REPORT NUMBER 159 OF THE AUDIT COMMITTEE

WEDNESDAY, SEPTEMBER 18, 2024

CLOSED SESSION 

1. Chair’s Remarks
   
   The Chair welcomed members to the first Audit Committee meeting for the 2024-25 governance year. She additionally welcomed Ms Kathi Aspros who had recently taken over as the new engagement partner for external audit services at Ernst & Young (EY) and thanked EY’s outgoing engagement partner, Ms Diana Brouwer for her years of service in that role.
2. Reports of the Administrative Assessors
   
   Professor Scott Mabury, Vice-President, Operations & Real Estate Partnerships reported on the following:
   
   International Student Enrolment
   
   While enrolment numbers would be finalized in November, counts were stabilizing for the Fall session. Ontario universities and colleges had seen a decline to international enrolments projections, likely due in part to the new restrictions on international student visas imposed by the federal government. However, the University of Toronto has seen relatively stable international intakes compared to last year, although the growth planned for this Fall was unlikely to be achieved. This amounted to approximately 600 fewer than planned international student enrolments, with a significant decrease in intake from India related to the heightened geopolitical tensions between the countries last year. Domestic enrolment was forecast to exceed targets by approximately 1000 students across all campuses including strong growth at the University of Toronto driven largely by the new undergraduate spaces allocated for SAMIH.
   
   The budget impact from the lower than projected international enrolment was manageable with an approximately $40-50M shortfall on a $3.5B budget. This shortfall was consistent with the lower end of enrolment-related risk signaled during the preparation of the approved operating budget.
   
   Discussion
   
   In response to a member’s question, Professor Mabury commented that the University had procured 300 additional rental units to accommodate the increase in domestic students. He further advised that it was the responsibility of the Deans to offset any shortfalls in cost born by the University in the event units were rented at below costs to the University.
   
   Encampment
   
   As of the beginning of September, the total financial impact of the encampment to the University had been $4.1 million. Approximately $3.8 million had been in direct expenditures such as additional security, legal costs, cleaning, and repairs. As well, the University had lost an estimated $300 thousand in foregone revenues from cancelled events and the closure of the parking garage during the busy time of convocation.
   
   Over the summer, a user guide had been created to help students understand the University’s longstanding policies and guidelines on free expression and peaceful protest. The University had not introduced any new policies or guidelines on protest activities. This guide, available on the Vice-Provost Students’ website, consolidated information from existing policies, such as the Policy on the Disruption of Meetings and the Policy on the Temporary Use of Space. It emphasized that peaceful protests, a long-standing tradition on campus, remained unchanged. The guide aimed to clarify existing policy limits, legal requirements, and a recent court order from July to ensure protests continued peacefully and within safety, security, and equity guidelines.
   
   Discussion
   
   In response to a member’s question, Professor Mabury indicated that none of the expenses could be submitted as a claim under the University’s insurance.
   
   Cybersecurity Incident
   
   Professor Mabury provided an update on a cybersecurity incident at the Ontario Institute for Studies in Education (“OISE”), where data for 14,238 individuals may have been exposed. The University had notified the affected individuals as well as the Information and Privacy Commissioner (IPC) and offered credit monitoring to those impacted. All affected systems were nearing or at end-of-life and did not require backup restoration or business continuity plans. It was also reported that the University chose not to engage with the threat actor or pay a ransom. The total remediation cost was approximately $240,000, covering internal staff hours, legal fees, credit monitoring, and forensic services.
   
   In response to the incident, OISE had implemented several measures: enhanced network security with tools for network segmentation, improved endpoint protection by enrolling all endpoints in SentinelOne, and improved password hygiene by removing local admin access and enforcing password rotation every 90 days. They also migrated all systems to the University’s cloud environment, initiated secure data feeds instead of data dumps from ROSI, reduced the number of virtual machines from 180 to 5, and hired a dedicated cybersecurity staff member to bolster security efforts.
   
   Discussion
   
   In response to a member’s question, Professor Mabury commented on the positive impact peer awareness had on the uptake of increasing cybersecurity across the University.
   
   Mr. Trevor Rodgers, Chief Financial Officer, then provided the following updates:
   
   National Institutes of Health Audit Report
   
   At the Committee’s last meeting, the external auditor had raised a concern with audit reports that had not yet been completed with respect to certain regulatory requirements and the National Institutes of Health. Mr. Rodgers had subsequently investigated the concern and advised that the delay was driven primarily by a series of unexpected vacancies in the Office of the Vice-President, Research and Innovation, which was responsible for research grant accounting. He was able to confirm that the vacancies had been filled and the required data had been provided to EY, and the audits would be completed as soon as possible.
   
   Insurance Coverage for Legal Claims
   
   In response to a discussion at the previous meeting, Mr. Rodgers clarified to the Committee that the amounts reported in the Summary of Claims against the University were the original amounts claimed by a plaintiff and that the validity of the claim, reasonableness of claim, or potential for a settlement, were not included.
   
   In response to a member’s question, Mr. Rodger’s confirmed that the University maintained a small reserve for self insurance coverage for certain claims. The reserve was assessed each year, and the amount set aside annually was deemed adequate.
3. Presentation: Legal & Regulatory Risk
   
   Ms Kristin Taylor, Chief Legal Officer, reported on the legal & regulatory risk as an identified risk to governance. This report outlined the process undertaken by the Office of University Counsel (“OUC”), the insights gained, and the introduction of the inaugural Legal Risk Register.
   
   The University is operated within a complex legal environment that encompassed various legislative and regulatory requirements related to enrolment, academic integrity, employment, research ethics, human rights, and corporate partnerships, among many others. OUC plays a crucial role in identifying, analyzing, and mitigating these legal risks.
   
   The OUC’s process began with a half-day workshop in October 2023, where legal risks were brainstormed and categorized into a “Legal Risk Universe.” This initial list of 54 risks was distilled into 24 key legal risk areas, each defined and described in detail. The team then reconvened in February 2024 to score and rank these risks based on their likelihood and potential impact. This scoring exercise revealed that the highest-ranked risks were those where OUC lawyers and the University already focused significant resources. The final Legal Risk Register, validated by the team’s thinking, highlighted areas requiring more attention and informed recruitment efforts to address gaps in legal risk management.
   
   The top three risks were integrated into the Committee’s Risk Assessment Table, and the Legal Risk Register would continue to be updated annually to ensure its continued relevance. This process had fostered candid discussions among OUC lawyers about daily legal risks and the control environment, ultimately enhancing the University’s legal risk management strategies.
   
   Discussion
   
   The ensuing discussion centered on the independence of the legal risk management (LRM) framework from the idea of a broader enterprise risk management (ERM) framework. It highlighted the broad definition of risk ownership and the challenges of addressing overlaps and gaps in cross-sectional risk areas. While the LRM framework is distinct and not integrated into registers or reports of other risk owners, there was an acknowledgment of the need for proactive engagement with risk owners to discuss mitigations strategies and the control environment. The discussion further focused on the potential for cross-sectional risks to become significant when aggregated across departments and the difficulty of assessing these risks through a pan-University lens that could impact the University’s broader strategic plan.          
4. Risk Management and Insurance Annual Report, 2023-2024
   
   Mr. John Kerr, Director, Risk Management & Insurance, reported on the Risk Management and Insurance Annual Report, 2023-2024.
   
   Mr. Kerr provided a summary on the University’s insurance program, including coverages, costs, and claims activity, within the context of the insurance industry’s recent financial performance and underwriting experience. The University experienced a 17.7% increase in overall premiums year over year, continuing a trend of significant increases in previous years. Transitional costs with Canadian Universities Reciprocal Insurance Exchange (“CURIE”) for premiums and limits remained high but were expected to taper off in the future. The report also summarized premiums paid and losses incurred by line of insurance and policy purchased. The transition back to CURIE was going well, with the University community favorably receiving the value-added services. CURIE’s financial position had substantially improved since the University’s departure in 2008.
   
   Discussion
   
   In response to a question about cybersecurity insurance, it was noted that the limits offered by CURIE were overly conservative, as a relatively new product offering, and likely insufficient for an institution the size of the University. The value for service provided in this regard was likely insufficient however the University had purchased this coverage in response to Canada’s Enterprise Cyber Security Strategy.
   
   Additionally, premiums for mass timber construction remained high in Canada, possibly due to unsupported fears and misconceptions about the safety and durability of this construction method. This indicated a need for continued education and advocacy to potentially reduce these costs.
   
   Finally, while some localized areas of the University might purchase insurance for specific situations, most insurance purchases were made centrally through the Office of Risk Management & Insurance. This centralized approach likely helped in negotiating better terms and managing overall risk more effectively.
5. Report of the Previous Meeting – Report Number 158 (June 17, 2024)
   
   The report of the previous meeting was approved.  
6. Business Arising from the Report of the Previous Meeting
   
   There was no business arising from the report of the previous meeting. 
7. Date of the Next Meeting: November 20, 2024, 4:00 p.m. – 6:00 p.m.
   
   The Chair confirmed that the next meeting of the Committee would be held on November 20, 2024. 
8. Other Business
   
   There was no other business. 

The Committee moved In-Camera.