Item - 2025.TTA1.5

The Audit & Risk Management Committee:

1. Approved the ARC Audit Plan (2025) – attached as Attachment 1 to this report.

2. Approved the updated ARC Audit Charter – attached as Attachment 2 to this report.

ARC Audit Plan

The Audit, Risk, and Compliance (ARC) Audit Plan outlines the reviews and nature of internal audit work that ARC intends to conduct in 2025. By focusing ARC internal audit resources on key areas, we aim to maximize benefits for the TTC, such as enhancing operational efficiency, ensuring regulatory compliance, and providing valuable insights for informed decision-making.

ARC takes into consideration a variety of inputs to identify planned audit work for the year. These inputs include:

• Interaction and discussion with Executive Management and select Senior Management;
• Interaction and discussion with the External Auditor;
• Interaction and discussion with the Audit & Risk Management Committee (ARMC);
• An audit universe risk assessment;
• Enterprise risks; and
• External literature and news events from professional bodies and organizations.

The Proposed Audit Plan for 2025 consists of four comprehensive assurance projects and four follow-up validation projects, the results of which will be reported to the ARMC as part of regular ARC Audit Plan Status Updates (see Attachment 1). This Proposed Plan is being submitted for review and approval by the Committee.

ARC has also discussed with Senior Management a variety of topics and lines of inquiry that will be proactively pursued in an advisory and limited capacity for purposes of gaining insights and understanding of key risks. For example, ARC may explore lessons learned following major disruption incidents. While generally the outcome of such work would not require public reporting, if any major control gaps or significant observations are identified and warrant reporting to the ARMC, details will be provided in ARC Audit Plan Status Updates. This work will be completed in addition to any ad hoc advisory work and special requests submitted to ARC throughout the year.

ARC Audit Charter

An audit charter serves as a foundational document that defines the purpose, authority, and responsibility of the internal audit function, and establishes its role within the organization.

It provides the TTC a blueprint for how internal audit will operate and explains the value of internal audit’s independence in providing assurance and advisory services to the TTC.

The ARC audit charter has been updated to reflect the organizational change for the Head of ARC to report administratively to the Deputy Chief Executive Officer, instead of to the Chief Executive Officer.

The updated Audit Charter is included in Attachment 2 of this report.

Independence

Per the Institute of Internal Audit’s (IIA) standards, there is a requirement to report any impairment(s) to independence of the internal audit function. ARC notes that there have not been any impairments to independence to report for 2024.

Quality Assurance and Improvement Program (QAIP)

It is mandated in the Audit Charter that ARC will maintain a QAIP. The Program covers all aspects of the ARC Internal Audit function and requires conformance with the Institute of Internal Audit’s (IIA) Standards.

The Program consists of continuous oversight and review of each engagement, an annual internal assessment of conformance with the Standards, and the engagement of a qualified external party to perform an assessment of the internal audit function every five years.

An internal assessment was conducted in 2024, and efforts to address required enhancements are being pursued as part of continuous improvement efforts. Enhancements being planned/performed are as follows:

• Conducting an external assessment of the program in 2027.
• Documented a methodology to capture audit resource management and optimize the use of available resources in 2025. Complete.
• Developing processes in 2025 to encourage transparency in sharing information by management and other stakeholders (such as AG) that can guide audit coverage, including results.

Institute of Internal Audit (IIA) Standards Update

The Standards that guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of an internal audit function were updated and released on January 9, 2024. The new Standards became effective on January 9, 2025.

Before the effective date, we compared the new Standards with the 2017 version and noted that the updates primarily reflect the IIA’s structural reorganization rather than fundamental changes to the Standards themselves. The goal of the new Standards is to make them easier to understand and use, while emphasizing certain areas that align with evolving business needs. Key highlights include:

• Streamlined Framework.
• New emphasis on Risks and Governance.
• Enhanced Clarity in Terminology.
• Focused Guidance on Emerging Risks (increased focus on areas, such as cybersecurity).

ARC has already implemented certain changes to align with the emphasis of the new Standards and identified further changes as part of ongoing continuous improvement efforts. These include finalizing an internal audit strategy and following new methodologies/policies to ensure new IIA standards are met.

ARC Internal Audit Strategy

The new IIA Standards state that “the chief audit executive must develop and implement a strategy for the internal audit function that supports the strategic objectives and success of the organization and aligns with the expectation of the Board, Senior Management, and other key stakeholders”.

An internal audit strategy is a plan of action designed to achieve a long-term or overall objective. It includes a vision, strategic objectives, and supporting initiatives for the internal audit function. It also helps guide the internal audit function toward the fulfillment of the internal audit mandate.

The TTC’s internal audit function sets annual goals that align with its strategies. Details of ARC’s Internal Audit Strategy will be reviewed with ARMC and Senior Management.