The Audit, Compliance and Risk Committee heard a presentation from two guest speakers from Ernst and Young on Thursday and discussed data integrity, cybersecurity and the possible implications of invasion from Ukraine.
The second day of the three-day Council session meetings, the Audit, Compliance and Risk Committee met at 1:30 p.m. in the Board room of the Rotonde. The Audit, Compliance and Risk Committee is responsible for monitoring financial activities and risk management of the University.
One of the guest speakers was Sean Jackson, managing director of the government and public sector of Ernst and Young, a professional services network. Ernst and Young is a partner of the University’s internal audit department.
Jackson is a former senior university administrator and served as chief information officer at the University School of Medicine and the University Physicians Group. The other guest speaker was Ariel Johnson-Peredo, Senior Consulting Executive at EY. Johnson-Peredo manages the college IT audit portfolio with Jackson.
During the meeting, the committee viewed a slideshow summarizing what it hopes to accomplish in the new audit plan for fiscal year 2023-2024.
One of the slides discussed the progress of the fiscal year 2022 audit schedule. According to the presentation, Cybermaturity Follow-Up – which refers to the University’s ability to mitigate hacker threats – Batten School, School of Data Science, School of Nursing, School of Medicine and Research Data Security are all on track. Neither academic records and Ransomware Preparation – which focuses on the University’s ability to protect against hackers who hold a user’s computer hostage in exchange for a “ransom” – has yet begun, but is expected to be completed in April. 2022.
Another slide largely focused on data integrity – or data accuracy – and how large organizations rely on increasingly complex systems to make decisions and run their day-to-day operations. The presentation also acknowledged the trend of increasing digital adoption in the wake of COVID-19.
In response to the pandemic, organizations have focused on mechanisms to mitigate cyber threats and attacks only after adopting new technologies to increase the digital response to the new remote or hybrid way of working. These mechanisms include multi-factor authentication to access the organization’s internal websites, as well as the implementation of a recovery plan in the event of a compromise of critical data.
The presentation also included a slide on cybersecurity, including the U.Va. Health and academic divisions. Part of risk management for senior University leaders and the committee is to remain aware of cyber threats and prepare for possible cyber threats or attacks.
Towards the end of the meeting, other unidentified members present posed a few questions to Jackson and Johnson-Peredo, including the implications of the Russian invasion of Ukraine, as well as reports of potential malware and cyberattacks. and measures to combat these threats.
“Ariel and I monitor this daily — we get daily briefings,” Jackson said. “Last I saw, it’s actually a pretty robust threat from China that’s been specifically designed to target infrastructure, and it’s something that while we want to make sure our eyes are on towards Ukraine, we want to make sure we don’t get shot down by other threats.
The last item on the agenda was the refresh of the approach to the audit plan for fiscal year 2022-2024. The agenda included items to be completed from February 2022 to June 2022. The approach included benchmarks and objectives for the stakeholder meeting, senior management, audit committee and board of visitors.
There is no opportunity for the public to make unscheduled comments during these meetings.
All meetings were held in open or closed sessions. The open sessions were streamed live for public viewing and can be viewed at https://bov.virginia.edu/live.