The Auditor General included a cybersecurity audit of Exhibition Place, an agency of the City of Toronto, in her 2025 Work Plan. Exhibition Place is Canada’s largest convention centre and entertainment and sports venue, generating $595 million[1] in economic impact annually and $67.3 million in revenue in 2024.
Phase One of this cybersecurity audit was presented at Exhibition Place’s December 5, 2025, Board meeting. The Auditor General’s Phase One confidential report included results from testing physical security, user access management, and staff awareness of social engineering in relation to cybersecurity. The Phase One public cover report is available at:
Technology plays a vital role in all aspects of Exhibition Place’s operations and services. This Phase Two report includes the results of our vulnerability assessment and penetration testing of the Exhibition Place’s network, systems, applications and devices, as well as cybersecurity incident logging and monitoring review.
This report includes five administrative recommendations. The confidential findings and recommendations are contained in Confidential Attachment 1 to this report. A separate, confidential and detailed technical report was provided to management with technical details to guide them in addressing the report findings and recommendations.
Management agrees with the recommendations contained in the Confidential Attachment 1, which also includes management’s response