Report: Audit Committee - April 17, 2024

REPORT NUMBER 157 OF THE AUDIT COMMITTEE

WEDNESDAY, APRIL 17, 2024

CLOSED SESSION 
 

1. Chair’s Remarks
   
   Vice-Chair Paul Huyer chaired the meeting on behalf of the Chair who was unable to attend in person. The Chair welcomed members and guests to the meeting. 
   
   Members were reminded that the Risk Assessment Table for Reporting to the Audit Committee was available in the Committee’s resource folder in OnBoard and that feedback on the table had been requested.
2. Reports of the Administrative Assessors
   
   Professor Scott Mabury, Vice-President, Operations and Real Estate Partnerships reported that international student visa applications were on track to meet the targets set out in the recently approved operating budget. Early outreach and follow-up on offers had led to increased application uptake and enrolment deposits received by the University. However, concerns remained about Canada's attractiveness to international students given the recent announcements and actions undertaken by the federal and provincial governments. He noted that applications from China and India had decreased, while applications from other countries had increased.
   
   Professor Mabury also commented on the need for the University to find efficiencies in its operations given revenues were 2.6% below expenses which represented a 5% negative change from prior years. For several years, the University had been a member of UniForum; a service that offered benchmarking data to identify opportunities and measure efficiency within universities.
   
   He concluded his remarks with an update on the need to continue enhancing energy efficiency programs to reduce University expenses. As an example, Professor Mabury noted that several older buildings previously operated at maximum heating and cooling capacity regardless of occupancy. For example, the Ontario Institute for Studies in Education, Medical School Building, and Robarts Library were designed for constant use by 8000 people. Switching to a variable heating system based on actual building occupancy for these three buildings, the University had achieved a savings of approximately $1.1M annually.
   
   Mr. Trevor Rodgers, Chief Financial Officer, updated the Committee on the progress of the ongoing Request for Proposal (RFP) process for external auditors. The interview process had concluded, and the University had begun negotiating a Master Services Agreement.
3. Risk Presentation: Cyber Risk
   
   The Chair welcomed Mr. Deyves Fonseca, Acting Chief Information Security Officer, to the meeting to present the cyber risk as one of the identified risks contained within the Risk Assessment Table for Reporting to the Audit Committee.
   
   Professor Mabury provided introductory comments and emphasized the significant progress the University had made since this topic was initially raised with the Audit Committee over a decade ago.
   
   The presentation included:

• An overview of the Information Security Dashboard.
• The top risks within this category were remote work, ransomware, fraud & phishing, and risk to research.
• The effectiveness of Canadian Shared Security Operations Centre (“CanSSOC”) in sharing useful security information in real time to protect others from cyber attacks. The University of Winnipeg’s recent cyber attack had been reported through CanSSOC and allowed participating institutions to assess and secure vulnerabilities within their systems in near real time.
• Multi-Factor Authentication (“MFA”) remained critical in protecting the University's data.
• Over 7000 staff and faculty had enrolled in a new voluntary program for security awareness training recently made available to the University community.
  
  Members also received the Dean’s and Principals Information Security Dashboard as part of the presentation and were informed of its helpfulness in assisting Deans to focus on areas that required improvement.
  
  Discussion
  
  In the ensuing discussion, Mr. Fonseca informed the Committee that:
• MFA participation rate was roughly 98%, with the remaining 2% being predominately adjunct or affiliated roles with the University where MFA could not be implemented. With the success of MFA enrolment, the University would focus on expanding endpoint protection.
• The variance in adequately addressing different security risks within units could be accounted for by differences in leadership strength across different areas. Some teams exceled in addressing specific vulnerabilities, while requiring assistance in addressing other vulnerabilities. No area was able to uniformly address all vulnerabilities optimally.
• Central services could assist with enforcement of necessary controls depending on the specific risk and its progress. The example of MFA was used, where a gradual rollout strategy was employed.
• With a focus on cost containment, there remained a balance between directly enforcing controls against encouraging adoption. While progress was being made on top security risks, strategic choices were necessary to determine which risk mitigation efforts received immediate investment. The current strategy appeared effective and continued effort was critical.
  
  The Chair thanked Mr. Fonseca for his presentation.

4. Annual Report: Information Security and the Protection of Digital Assets
   
   Members received the Annual Report on Information Security and the Protection of Digital Assets for information.
   
   Mr. Fonseca provided a presentation which highlighted that the during fiscal year 2023-2024, the University continued to focus on mitigating security risks stemming from remote work and ransomware by prioritizing efforts to maximize risk reduction and measure progress. The University launched its first institutional information security strategy that provided a shared direction for information security at the University.
   
   The key focus areas for the coming year included expansion of security awareness training, multi-year identity management transformation, secure data management to promote AI adoption, improved network security through firewall management as a service and continued enhancement of detection and response capabilities.
   
   Discussion
   
   Following the presentation, Mr. Fonseca discussed with the Committee the following:

• The Data Asset Inventory-Information Risk Self-Assessment (DAI-IRSA) indicated improved security maturity across the university. The program successfully raised awareness of data and information risk management responsibilities. Most units completed the assessment, with a small number facing logistical challenges preventing final sign-off.
• The University's decentralized structure highlighted the need for strong cross-institutional collaboration to manage security risks.
• Recent fraud incidents highlighted ongoing student vulnerability, particularly with job scams.
• Despite budget limitations, focus would remain on top-priority security areas.
• The potential benefits of centralizing security infrastructure and vendor negotiations to leverage scale and address budget constraints.
  
  The Chair thanked Mr. Fonseca for his presentation.

5. Report on Non-audit Services by the External Auditors for the period from October 1, 2023 to March 31, 2024
   
   The Chair noted that in accordance with the Policy on the Use of the External Auditor for Non-Audit Services, the Audit Committee receives from the administration a quarterly report, resulting in an annual report. Mr. Rodgers commented that Report provided details of the payments made to the external auditors with respect to non-audit services for the period of October 1, 2023, to March 31, 2024. 
   
   There were no questions by members. 
6. Draft Audited Financial Statements and Notes - April 30, 2024
   
   The Committee received Draft Audited Financial Statements and Notes - April 30, 2024, for information. The Chair explained that the Committee would be asked at its June 17, 2024, meeting to recommend the full Audited Financial Statements to the Business Board for approval.  Mr. Sanish Samuel, Controller and Director of Financial Services, reported on the Notes and highlighted the major changes that had been made which included:

• Note 2(n) had been removed as the change in accounting policy was adopted in fiscal 2023.

• Note 4 had been added to reflect new investments.
• Note 5 had been added to reflect non-current assets.
• Note 9 had been updated to reflect the credit facilities secured to acquire the Project LEAP assets.
• Note 16 had been expanded to include supplemental information that was previously disclosed on the face of the statement of cash flows. 
  
  Discussion
  
  In response to a member’s question, Mr. Rodgers and Mr. Samuel agreed to review the language in note 4 to provide greater clarity around the University’s relationship as a general partner of the UTSC Residence Limited Partnership (UTSC Residence LP) and revenue sharing.

7. Internal Audit Plan, 2024-2025
   
   Mr. Alex Matos, Director, Internal Audit Department, reviewed the Audit Plan for 2024-2025 with the Committee, highlighting the following:

• 11,000 direct project hours from a staff complement of 10 FTE. 
• Focus on institutional, divisional and departmental risks,
• Included academic, administrative and student services functions on the three campuses,
• Included Operational audits, Continuous Audit, Restricted Funds Compliance Audit, Information Systems reviews, Follow-up reviews, Investigations and Advisory Services
• Assistance were to be provided to Ernst & Young,
• Projects were selected based on industry insights, discussions with peers across the sector, consultations with leadership and senior management, and as a result of specific requests. 
  
  Discussion
  
  In response to members’ questions, Mr. Matos provided greater detail on how Internal Audit engaged with stakeholders throughout the University in determining the priorities for audits. For example, Internal Audit had leveraged the Office of the University Counsel and their regulatory and legal risk framework, as identified in the Risk Assessment Table, to identify areas for potential audit. As the defining and reporting to Audit Committee of each risk within the Risk Assessment Table evolved, Internal Audit would integrate those strategic risks in a more fulsome manner into its audit planning, which currently focused more on operational risks.

8. Report of the Previous Meeting – Report Number 156 (March 6, 2024)
   
   The report of the previous meeting was approved.  
9. Business Arising from the Report of the Previous Meeting
   
   There was no business arising from the report of the previous meeting. 
10. Date of the Next Meeting: June 14, 2024, 4:00 p.m. – 6:00 p.m.
    
    The Chair confirmed that the next meeting of the Committee would be held on June 17, 2024. 
11. Other Business
    
    There was no other business. 

The Committee moved In-Camera.

IN CAMERA Session
 

12. Internal Auditor: Private meeting
    
    Members of the administration absented themselves and the Committee met privately with Mr. Alex Matos, Director, Internal Audit.
13. Committee Members Alone
    
    Committee members discussed topics of interest.  

The Committee returned to Closed Session.