The Audit, Compliance and Risk Committee heard a presentation from two Ernst and Young guest speakers Thursday and discussed data integrity, cybersecurity and possible implications of the Russian invasion of Ukraine.
On day two of the Board’s three-day session of meetings, the Audit, Compliance and Risk Committee met at 1:30 p.m. in the Rotunda Board room. The Audit, Compliance and Risk Committee is responsible for overseeing the University’s financial activities and risk management.
One of the guest speakers was Sean Jackson, managing director in the government and public sector for Ernst and Young, a professional services network. Ernst and Young partners with the internal audit department at the University.
Jackson is a former University senior administrator and served as chief information officer at the University’s School of Medicine and the University’s physicians group. The other guest speaker was Ariel Johnson-Peredo, senior manager in the consulting practice at EY. Johnson-Peredo manages the portfolio of University IT audits along with Jackson.
During the meeting, the committee went through a slideshow, summarizing what they hope to achieve in the new fiscal year 2023-24 audit plan.
One of the slides addressed the progress of the fiscal year 2022 audits timeline. According to the presentation, Cybermaturity Follow-Up — which refers to the University’s ability to mitigate threats from hackers — Batten School, School of Data Science, School of Nursing, School of Medicine and Research Data Security are all on track. Neither Academic Records and Ransomware Readiness — which focuses on the University’s ability to protect against hackers who hold a user’s computer hostage in exchange for a “ransom” fee — have been started yet, but are estimated for completion in April 2022.
Another slide focused largely on data integrity — or the accuracy of data — and how large organizations are relying on increasingly complex systems to make decisions and to run their daily operations. The presentation also acknowledged the trend of increasing digital adoption as a result of COVID-19.
In response to the pandemic, organizations have focused on mechanisms to mitigate cyber threats and attacks only after adopting new technologies to increase the digital response to the new remote or hybrid way of working. These mechanisms include multi-factor authentication to access the organization’s internal websites, as well as implementing a recovery plan in case critical data is compromised.
The presentation also included a slide on cybersecurity, including both the U.Va. Health and Academic divisions. Part of the risk management for the University’s senior leaders and the committee is maintaining awareness of cyber threats and being prepared for possible cyber threats or attacks.
Towards the end of the meeting, other unidentified members in attendance asked Jackson and Johnson-Peredo a few questions, including the implications of the Russian invasion of Ukraine, as well as reports of potential malware and cyberattacks and the steps to combat these threats.
“Both Ariel and I monitor this daily — we get daily briefings,” Jackson said. “The last I saw is actually a fairly robust threat from China that was specifically designed to target infrastructure, and that is something that while we want to make sure our eyes are on Ukraine, we want to make sure we don’t get sucker punched from other threats.”
The last item on the agenda was refreshing the 2022-2024 fiscal year audit plan approach. The agenda consisted of items to complete from February 2022 to June 2022. The approach included benchmarks and goals for the stakeholders meeting, senior leadership and Audit Committee and Board of Visitors.
There is no opportunity for unscheduled comments from the public during these meetings.
All meetings were held in either open or closed sessions. The open sessions were live streamed for public viewing and can be accessed at https://bov.virginia.edu/live.