Item - 2021.AU10.3

The Audit Committee recommends that:

1.  City Council receive the Auditor General's 2022 Work Plan, as outlined in the report (October 19, 2021) from the Auditor General, for information.

2.  City Council request the Auditor General to consider adding an assessment of Toronto Hydro cybersecurity or any other operating technology in any City division, agency or corporation to the Auditor General's 2022 Work Plan.

The Audit Committee considered Items AU10.2 and AU10.3 together.

The Auditor General gave a presentation on Auditor General's 2022 Operating Budget and 2022 Work Plan.

The purpose of this report is to provide City Council with an overview of the work the Auditor General plans to conduct in 2022. Audit projects included in the Annual Work Plan are identified through a risk assessment process conducted periodically, a review of emerging issues, and an analysis of trends in allegations made to the Fraud and Waste Hotline. The Auditor General also considers the views and experience of City Councillors and City management. The Auditor General may amend the Annual Work Plan if new priorities arise.

The Auditor General's 2022 Budget Request is being presented to the Audit Committee at the same meeting as this 2022 Work Plan. The Auditor General is asking for Council's continued support by restoring her office budget to pre-pandemic levels to help address critical emerging issues and an expanded mandate.

The Auditor General's budget request reflects funding needed to help address the following:

1.  Responding to an expanded mandate and inflow of requests for audits;

2.  Providing valuable independent oversight of critical systems to ensure the City is well-positioned to detect, mitigate, and respond to IT and cybersecurity risks;

3.  Conducting investigations on serious, time-sensitive issues; and

4.  Undertaking the City-wide COVID-19 Continuous Improvement Audit.

In light of audit requests from the Toronto Police Services and Toronto Public Library Boards, both of which are restricted boards, an influx of City Council requests for specific audits, and the need to address emerging risks including cyber security, the Auditor General must prioritize the projects she can carry out now (Table 1), versus those that need to be delayed into future years. Projects that can only be considered if additional budget funding is received are included in Table 2. The Auditor General has explained the implications of these additional demands through her 2022 Operating Budget, which is also being tabled at the same Audit Committee. Both reports should be considered together.

Where Council requests an audit, the Auditor General considers potential risks to the City before deciding whether it can be prioritized over another project on her Work Plan. However, completing requests in a timely manner is not always feasible with her limited staff resources, so work is prioritized. The Auditor General was able to incorporate some important City Council requests into her 2022 Work Plan, including: cybersecurity critical system reviews, Toronto Police audits and an audit of affordable rental replacement units.

The Work Plan includes projects that have been identified through the risk and opportunities assessment. The projects are organized as follows:

- projects currently in progress or soon to be initiated (Table 1);

- projects that can be added to our 2022 Work Plan if Council approves our budget request to restore to 2020 budget level (Table 2);

- projects on the horizon for 2022-2023 (Table 3); and

- backlog list of projects that we would like to complete over the longer term (Attachment 3).