Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY . TABLE OF CONTENTS INTRODUCTION PAGE 1 ABOUT THE RESEARCH PAGE 2 KEY OBSERVATIONS AND INSIGHTS PAGE 4 CONCERNS ABOUT RISKS CONFRONTING BOARDS PAGE 8 ABOUT EISNERAMPER PAGE 20 CONTACTS PAGE 21 . Concerns About Risks Confronting Boards INTRODUCTION SIXTH BOARD OF DIRECTORS SURVEY Our 6th edition of Concerns About Risks Confronting Boards continues EisnerAmper’s examination of the trends, changes, and issues American boards face today. With today’s media capable of capturing every crisis (big and small) occurring within organizations, it is becoming increasingly evident how connected reputation, cybersecurity and social media are in relation to risk. This time around, we took the opportunity to ask a variety of specific questions to the directors regarding cybersecurity and social media. In this edition, we review and analyze the general trends of more than 300 boards through the survey responses of their directors. To give our readers a complete and in-depth look at the findings, we contrast the results of those serving on public, private, and not-for-profit boards. Furthermore, we evaluate the responses of board members based on the organization’s revenue as well as compare and contrast our past data to better understand the trends that have been developing. This report delivers insight based on the survey results, professional expertise, current news, first-hand stories from veteran directors and the conversations we have with clients and contacts.

As always, we welcome the opportunity to discuss these discoveries in detail with you. MICHAEL BREIT, CPA STEVEN KREIT, CPA Partner-in-Charge, Audit and Assurance Services EisnerAmper LLP 212.891.4089 michael.breit@eisneramper.com New York Partner-in-Charge, Technology and Life Sciences Groups EisnerAmper LLP 212.891.4055 steven.kreit@eisneramper.com 1 . ABOUT THE RESEARCH EisnerAmper’s 6th Board of Director’s Survey was designed to gain insights into the risks being discussed and addressed in American boardrooms. Directors were polled via a web-based survey, sent to select EisnerAmper contacts and members of the NACD Directorship database. This survey was conducted during 2015. It measures the opinions of directors serving on the boards of more than 300 publicly traded, private, not-for-profit, and private equity-owned companies across a variety of industries. This report focuses primarily on the responses from directors of public, private and not-for-profit boards. PUBLIC 32% 18% $10-50M 16% $50-100M 13% $100-250M $250M-1B These directors represent a considerable range in organization revenue size: 15% $1-10M 14% 10% $1B+ 13% 31% NOT-FOR-PROFIT These directors serve on boards that govern organizations ranging from just a year old to 175 years old, with an average age of 41 years. Under $1M PRIVATE 32% The majority of respondents (73%) with revenues over $1 billion serve on public company boards, while not-for-profits accounted for the majority of the respondents (61%) reporting less than $50 million in revenue. This year, respondents were well-mixed amongst board types and revenue size. To gain better insight to the concerns facing boards and how they are being addressed, we posed questions to find out more about the structure of these boards. The following is a list of committees.

Please indicate if these committees currently exist within your board and if so, if you are a part of them. EXISTS MEMBER Audit 99% 56% Nominating 97% 39% Compensation 98% 46% Risk 98% 58% Governance 98% 51% 2 . Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY Almost every board has created and maintained the committees listed in the survey, with the respondents again representing an equal mix amongst each committee – as well as finance and executive committees. EisnerAmper Intelligent Data (EisnerAmper ID) uses proprietary market research conducted by EisnerAmper and leading market research firms, along with analysis from EisnerAmper’s partners and principals, to produce insightful articles, events and data designed to educate and stimulate discussion on the issues of most interest to business leaders today. The survey results were analyzed and presented by EisnerAmper and are accompanied by EisnerAmper’s observations of industry trends and issues. While EisnerAmper believes the information is from reliable sources, it should not be relied upon as, or considered to be, investment or legal advice. EisnerAmper ID Contact: STACY ROBIN, Director of Marketing | EisnerAmper LLP | 347.735.4636 | stacy.robin@eisneramper.com • Percentages throughout this report are rounded to the closest whole number. • Not all of the survey participants answered all of the questions. • Select questions provided the opportunity for respondents to choose more than one response. 3 . KEY OBSERVATIONS AND INSIGHTS We hope that in addition to the data and information we’ve obtained through your responses, we’re also able to help you see beyond the numbers and form action plans to face the challenges that you yourselves have deemed the most important. RISK, NO ACTION This year, we feel obligated to point out an issue that is not linked to one specific concern or trend in board oversight. Rather, picking up on a key mention from our 2014 report, a theme that has resonated even more distinctly this year is “risk, no action.” While action may very well fall to those in the day-to-day operational roles, there seems to be little happening at the board level to encourage addressing the risks in a more comprehensive fashion. SOCIAL MEDIA: THE CURRENT “WILD WEST” FOR BOARDS Let’s face it: Social media is a necessary evil for every company, organization and brand in today’s market. It connects companies with their customers and provides an instant and transparent tool for communication that wasn’t even a part of reality 15 years ago. The ever-present trend, over the 6 surveys we’ve conducted, is that reputational risk ranks as the top concern. Because social media is intrinsically linked to a company’s reputation and image, organizations and boards should consider social media as one of the most important risks to manage and monitor (as well as a tool to use to combat the same).

With all of the positive results that social media provides an organization, potential reputational risk backlash can (and does) occur. Shockingly, only 6% of boards feel as though they are well-versed in social media risk, and 67% of organizations are not engaging external consultants to monitor social media. The results indicate that boards do not feel (or have the depth of understanding of) the potential impact and harm social media can have (quite rapidly) on a company’s reputation. The recommended response times for different media reflects varied expectations of the audience for each channel: • Twitter: minutes up to two hours • Facebook: up to twelve hours • Blogs: up to twenty-four hours • Mainstream media: one to two days1 Placating the social sphere ensures that silence does not exacerbate the issue. Further, timely communication generates trust. Having an effective plan in place (that can be executed immediately) can therefore make all the difference in successfully managing a crisis – particularly those that become viral in new media. 1.

Sandra Fathi, “Social Media Crisis Response Times – How long do you have before the @#&% hits the fans?,” Tech Affect blog (May 17, 2012)  4 . Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY CYBERSECURITY: THE MOST DEVASTATING RISK? Despite reputational risk’s dominance as the overall top concern to boards, cybersecurity emerged as the top concern for public company boards (70%). Over 95% of public companies either use internal audit or external auditors/consultants to monitor cyber risk. While public companies deserve accolades for their efforts in monitoring cyber risk, is that enough considering merely 24% of board members feel their boards are well-versed in understanding cybersecurity risk and another 10% feel that they are falling short of fully understanding the risk? What’s more, is simply monitoring a potential cybersecurity breach enough? Cybersecurity not only should be understood and monitored, but also managed effectively – with pre-attack testing to further help prevent and minimize a future breach. Recently, we have seen how even some of the largest corporations can fall victim to a cyber breach – Target, Staples, and Home Depot to name a few. Each attack had serious negative fallout – from reputational damage to stock price to forcing a change in the senior management. There is even speculation of the latest in cybersecurity breaches having a significant impact on a planned IPO.2 While this risk is inevitably on the rise with hackers able to directly attack customers through corporate systemic failures, it is difficult to predict the potential (near) future fallout from such crises. As survey respondents were asked to comment further, the complexity of cybersecurity and cyberattacks emerged, along with the relationship to some of the other concerns identified. •  Cybersecurity is a complex area with multiple threat vectors that many boards do not have “ the skills or knowledge to understand, let alone manage.” •  Cybersecurity/IT could effectively cripple the company from the blind side, and implicates “ all other risks (i.e., fraud, product, reputational, etc.).

It is an area that is difficult for non-technical personnel (and board members) to understand, etc.” •  So much information shared online and threats from hacking really make one wonder: “ Can you ever do enough to protect information and data even with the best plan put in place.” •  Cybersecurity/IT is presently number 1 due to the rapid increase in number and severity “ of breaches. Combine that with the fact our board has only one person on it with sufficient technology experience makes it a high risk for us. At least we have one person.” We keep asking ourselves – while understanding is the first step, is a monitoring plan sufficient protection? 2.

 lastair Sharp and Euan Rocha, “Bankers: Hacked infidelity website Ashley Madison ‘can kiss goodbye’ plans for an IPO,” Business Insider A online (July 22, 2015) 5 . PLAN TO PROTECT YOUR REPUTATION Throughout the years, it’s become apparent that boards recognize the implications of reputational risk. Almost half (48%) of board members state their boards have a plan in place to address a crisis with potential reputational risk fallout; however, only 20% have provided training to execute the plans. Is merely having a plan on paper enough to sustain reputational risk? Or is training necessary? Further, is the team comprised of the right people to address it – from strategic as well as tactical perspectives? Should there be outside consultants/experts identified as key players in a crisis response plan? Public company boards appear to be most diligent in addressing reputational risk: almost 75% have a response plan in place and nearly a quarter have provided training. Yet, both private and not-for-profit boards expressed more concern about the impact of reputational risk than public boards. Therefore, two points stand out: 1.

 f private boards, 37% do not have a solid protection/plan in place for a reputational crisis, O yet almost 90% of board members say reputational risk is the most important concern facing their boards. 2.  onsidering the massive financial and reputational implications that have resulted from C cybersecurity breaches – the attack on Target cost the company $148 million and an additional $61 million dollars in anti-breach technology3 – public companies should be aware of the connection between a cybersecurity breach, an organization’s reputation and the ever-expanding role of social media. Veteran director Margaret Pederson, President at Amirexx and Director at TextureMedia, Viad and Xamax Industries, said that on the boards she has served at least one in-depth meeting each year is focused exclusively on reputation risk and preparation. “It’s so important to have a plan in advance,” she said.

“You need to have thought through the challenge and crafted potential responses beforehand so that you can react quickly. There is not sufficient time to only start developing plans once the crisis occurs.”4 EisnerAmper’s Michael Breit added that management—from the CEO on down—should be involved in developing the plan. ASKING PERSONAL BOARD QUESTIONS This year, we expanded our focus to include term limits, age limits and diversity quotas. Overwhelmingly, board members agreed with employing these limits (75%), yet 61% do not have term limits and 76% do not have age limits. 3.  harone Tobias, “2014: The Year in Cyberattacks,” Newsweek online (December 31, 2014) S 4.

 udy Warner, “From Empathy to Heat Maps, Advice for Managing Reputation,” NACD Directorship Magazine (July/August 2015): 56-57 J 6 . Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY Further, half of the board members agreed with utilizing diversity goals; those who disagreed referenced their belief that “experience” and “skills” should drive board member selections as opposed to diversity factors. Not-for-profits seem to be the most progressive in incorporating limits and quotas into minimizing group think and reducing risk. Interestingly, 23% of board members ranked diversity as an important area of risk management, while only 7% for public and private as well said diversity was a main concern for their boards. START TO TAKE ACTION: OPERATIONAL AUDIT A heat map that illustrates enterprise risk specific to a company and its activities is a useful practice, advised Mary R. Henderson, Director at CNO Financial Group, Regus plc and Walter Energy.

“The heat map is a living document that receives ongoing review and is adjusted as conditions change,” she explained. “While a designated committee may provide in-depth oversight, enterprise risk is a fullboard matter…. One can never predict what may happen….

Practice is always a good idea. Create a faux problem, test your list and approach, and evaluate the outcome,” she said.5 With regulations requiring more public companies to address financial internal control concerns, only 22% of the board members surveyed indicated they do not have an internal audit function. However, almost half of private companies and not-for-profits do not have an internal audit function. Despite these numbers, many associate audit with a more traditional financial audit (akin to the requirements of section 404 of the Sarbanes-Oxley Act).

There are growing issues and concerns, however, with risk inherent to a company’s operations. Yet, there are few, if any, regulatory controls in place to ensure the fervent and effective employment of operational audits. An operational internal control function is robust and can cover significantly more risks than a financial audit. The process may include a full risk assessment of the business, including everything from manufacturing to cybersecurity to foreign operations to financial reporting, rating each of the risks and developing testing plans to verify controls to mitigate the risks.

Cybersecurity may be prominently featured, considering everything from Ashley Madison and the IRS to credit card exposures at Target, Home Depot and Staples – as it dominates the news. Though less commonly reported types of security flaws, such as the ability to control a Jeep remotely, show the breadth of issues simply with technology…many of which may be moderated with effective testing. While financial regulation may have dominated many companies’ audit concerns for the past decade or two, stemming from headline news like Enron and Madoff, growing operational risk should evolve boardroom discussions to consider the scope of their organizational audits and the need to review operations. The new generation of crises may impact financials, but they will likely not originate in “the books.” 5.

Warner, “From Empathy to Heat Maps, Advice for Managing Reputation,” 57 7 . CONCERNS ABOUT RISKS CONFRONTING BOARDS RISKS DRIVING CONCERNS This report is driven by one of the most fundamental questions facing board members: What issues cause you the most concern today? Our survey results create an important lens through which to evaluate how boards are addressing risk: identifying it and managing it, strategically and operationally. Therefore, it is crucial to begin by understanding the risks at the top of directors’ minds. “ oards are more focused than ever on B risk management. As our survey notes, we have seen growth in almost all risk management areas with reputation and cyber risk leading the way and regulatory and compliance risk closing the gap.” MICHAEL BREIT, CPA Partner-in-Charge, Audit and Assurance Services, EisnerAmper LLP 75% 72% 73% Reputational Risk 61% 62% Cybersecurity/IT Risk 53% 53% 50% 56% Regulatory Compliance Risk 51% 47% 44% Senior Management Succession Planning 34% 29% 31% Product Risk n 2015 n 2014 n 2013 32% 31% Crisis Management 39% 27% 29% 27% Risk Due to Fraud 26% 30% Disaster Recovery 39% 15% 14% 14% Tax Strategies 17% 15% 13% Outsourcing Risk 12% Diversity —% —% 8 . Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY 2015 2014 2013 2015 PUB PUB PUB PRIV 2014 PRIV 2013 2015 2014 2013 PRIV NfP NfP NfP Reputational Risk 66% 74% 66% 74% 59% 70% 89% 82% 77% Cybersecurity/IT Risk 70% 71% 64% 61% 66% 57% 49% 50% 55% Outsourcing Risk 18% 12% 16% 22% 27% 17% 11% 9% 12% Product Risk 42% 35% 34% 45% 37% 45% 15% 14% 25% Risk Due to Fraud 28% 38% 25% 27% 21% 29% 27% 26% 32% Tax Strategies 19% 23% 20% 19% 13% 17% 9% 5% 12% Senior Management Succession Planning* 51% 55%* 56%* 49% 34%* 48%* 56% 50%* 48%* Regulatory Compliance Risk 64% 60% 61% 56% 54% 54% 41% 38% 58% Crisis Management 37% 30% 43%** 27% 23% 36%** 33% 38% 38%** Disaster Recovery 33% 36% 43%** 32% 39% 36%** 13% 17% 38%** Diversity 7% -- -- -- -- -- -- *Responses based on category “CEO succession planning” 7% 23% **Responses based on category “Crisis Management/Disaster Recovery” Since the inception of the Risks Confronting Boards survey, the top 3 areas of concern for boards – excluding financial risk – have been and continue to be reputation, cybersecurity/IT and regulatory compliance. Meanwhile, outsourcing risk and succession planning have gained momentum in certain types of organizations over the past few years. THE HOT TOPICS: REPUTATIONAL RISK AND CYBERSECURITY For private and not-for-profit company boards, reputational risk is top of mind while for public companies it has dropped to second place at 66%, behind cybersecurity, where it was in 2013. Despite the survey asking participants to rank the top three concerns, there was no obvious “third” after the top 2 concerns. 75% of respondents identified REPUTATIONAL RISK 50% of respondents identified as a top concern to their boards CYBERSECURITY/IT 32% as a top concern to their boards ranked it as their #1 concern 22% ranked it as their #1 concern 9 . These areas have been identified year after year as the “most popular” topics boards address in terms of risk management. When the range of options are weighted, we confirmed they are the top-of-mind, across the “boards.” Public company board members focus their concern on a different issue – cybersecurity. While cybersecurity is one of the top 3 concerns for private and not-for-profit boards, it beat out reputational risk by 4% for public company board members as the top concern. THE ISSUE REMAINS: SO WHAT? “Given the complexity of cybersecurity and its ever changing landscape, boards are challenged to stay visible and take action where necessary. They need to take practical steps to protect the company from threats, and ensure there’s a plan in place to address a cyber breach when it occurs.” What are boards doing about the issues identified as key risks? QUIETLY OF CONCERN: SUCCESSION PLANNING Last year, we evaluated the importance of CEO succession planning; this year we broadened succession planning to include all senior management. Private company boards reported the most drastic increase in the importance of succession planning from 2014 to 2015 with a 15% increase to 49%. JERRY RAVI, CPA Partner, Consulting Services Group, Succession planning is also a top concern for not-for-profit organizations; EisnerAmper LLP it is the second most important risk after reputational risk, reflecting a 6% increase from 2014.

This year, we expanded on the central question of the Concerns Report: we asked survey participants to rank their top two areas of concern. A cybersecurity threat is inherently linked to an organization’s reputation. The potential for fallout for any company should be of concern. When addressing reputational risk, what protections/plans do you have in place? ALL PUBLIC PRIVATE NfP Few/no plans 32% A response/communication plan is in place 48% 50% 49% 46% A plan is in place and training is/has been provided 20% 24% 15% 21% 26% 37% 34% Seventy-five percent of respondents highlighted reputational risk as the top concern to their board. Sixty-eight percent say a response or communication plan is in place to counter reputation crises and their organization has provided training on executing those plans; while 48% have a response plan in place yet have provided no training as of the survey date. Public companies are most diligent when addressing reputational risk: Almost 75% of the board members indicated their companies have a response plan and training in place. While preparedness percentages continue to rise modestly, boards may want to consider if having a plan on paper is sufficient to sustain a reputational crisis.

Is training (or other action) necessary? 10 . Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY While the amount of private companies and not-for-profit organizations with a plan in place has increased (as has training on those plans), these organizations continue to lag behind public companies. True, public companies trade on public confidence, but many not-for-profits rely on the public’s support as well. A crisis, like the one shouldered by Susan G. Komen for the Cure in January 20126, demonstrated the link of reputation and social media and the combined impact on once significant financial coffers and donations. In this case, whether the organization had a plan in place or not, its execution did not take place in a timely manner, nor provide appropriate attention to the proper media sources. Who (internally and externally) is involved when executing a plan to respond to a crisis involving reputational risk? ALL Internal Marketing 36% PUBLIC PRIVATE NfP 38% 35% 38% External PR 28% 41% 24% 17% Board 69% 71% 63% 77% CFO 41% 61% 37% 23% CEO 91% 93% 91% 87% IDENTIFYING AND ADDRESSING RISK Customarily, risk may be identified and then addressed through various resources both inside and outside an organization.

Performance of these resources serve, ideally, to minimize (or eliminate) risk – and can, in the event of an emergent issue, drive the success of crisis relief. The chart below details a variety of resources employed by organizations to address risk. The board members identified how well they believe these resources are addressing the issues. How is your board addressing identified risks? VERY WELL WELL ENOUGH POORLY NOT AT ALL 2015 2014 2015 2014 2015 2014 2015 2014 Regular board and committee meetings 38% 37% 54% 53% 7% 9% 1% 1% Risk management insurance providers 16% 18% 57% 51% 9% 12% 18% 19% External auditors 33% 35% 51% 52% 4% 8% 12% 5% Accounting department 28% 30% 58% 59% 8% 8% 6% 3% Legal and compliance group 35% 34% 51% 55% 8% 6% 7% 6% IT 20% 16% 55% 60% 18% 21% 7% 3% 6.  ttp://www.prsa.org/Intelligence/TheStrategist/Articles/view/9721/1047/Lessons_from_the_Susan_G_Komen_Planned_Parenthood#. h Vd-Q34uLdts 11 .

Do you have an internal audit function? ALL No 38% PUBLIC PRIVATE NfP 22% 47% 46% Yes, in-house 31% 48% 25% 24% Yes, outsourced 18% 16% 18% 18% Yes, co-sourced 13% 14% 10% 12% Seventy-eight percent of public companies employ personnel in an active internal audit function, whereas just over 50% of private and not-for-profit boards do so. Further, boards that had an internal audit function ranged in size from 1 to 450 people, with an average of 14. Take out the 2 largest outliers as well as the few with no internal audit function and the average drops to 6 people. YES, co-sourced NO 13% 38% YES, outsourced 18% YES, in-house 31% Some of the bias of public companies towards internal audit may be attributed to the Sarbanes-Oxley Act (requiring public companies to conclude whether their internal controls around financial reporting are operating effectively). However, it should be noted that “internal audit” can refer to financial audit and/or operational audit functions. The financial audit function can be effective in identifying and mitigating risks around financial reporting.

However, for purposes of the risks discussed in our survey, an operational audit function is able to address significantly more of these specific risks. There have been too many examples of cyber breaches and social media debacles leading to vast reputational fallout for a brand and/or organization in the past few years. The recent Jeep incident,7 in which it was discovered that the widely sold SUVs could be individually remote-controlled by anyone, anywhere who could hack into the vehicle’s software, is an example of a cybersecurity issue that affected a product – and, ultimately, reputation – while being reported and discussed heavily on social media (as well as traditional media). With the growth of “connected” products, there is a new, growing relationship between cybersecurity and product risk.

This may begin to impact the composition and background of operational audit personnel, increasing the need to hire hackers. More recently, a breach was recently uncovered when a New York insurance company performed an internal operational audit (in 2015) and discovered that the information of over 10 million members was possibly hacked back in December 2013.8 7. http://www.insurancejournal.com/news/national/2015/07/27/376356.htm 8. Bill Berkrot, “New York health insurer hacked, over 10 million members possibly affected,” Venture Beat online (September 9, 2015) 12 .

Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY How helpful has internal audit been in identifying risks? VERY SLIGHTLY NOT HELPFUL HELPFUL HELPFUL HELPFUL 2015 2014 2015 2014 2015 2014 2015 2014 Public 34% 29% 37% 45% 19% 19% 10% 7% Private 7% 6% 38% 54% 44% 25% 12% 15% Not-for-Profit 17% 9% 46% 37% 23% 38% 14% 17% With even more favor than 2014, public companies continue to find internal audit the most helpful (34%) when identifying risks. Not-for-profit boards have followed suit and increasingly found internal audit to be either very helpful or helpful with a combined 17% increase. Have auditors been engaged to better monitor/address risks in the following areas? CYBER ALL PUB PRIV NfP SOCIAL ALL PUB PRIV NfP Internal audit 22% 32% 19% 14% 15% 22% 13% 10% External/consultants 45% 63% 35% 32% 12% 15% 13% 5% No 37% 16% 43% 55% 67% 63% 65% 75% Internal used in future 10% 10% 11% 8% 9% 8% 14% 7% External used in future 11% 11% 11% 9% 6% 4% 5% 10% There seems to be some recognition and movement around the risk associated with cybersecurity/IT. With 61% of respondents ranking this as a top concern to their board, we found 67% of respondents indicated that their boards have engaged internal or external auditors to monitor or address cybersecurity risk. This is one area that real action seems to be emerging, however, it is not equally so across all types of companies. Public companies identify cybersecurity as the top risk to their boards; this aligns well with over 90% indicating they employ (external or internal) auditors to address cyber risk. Conversely, not-for-profit boards demonstrated less concern for cyber and IT risk than public and private companies (just under 50% ranked cyber as a top concern to their board); less than a quarter engage internal or external auditors to address cyber risk. Eighty-nine percent of respondents ranked reputational risk as a top concern.

Specifically, for not-forprofit organizations, it is the top concern. Yet more than half of not-for-profit boards lack auditors to monitor or assess social media and cybersecurity risks. Taking cyber, IT, and reputational risks into consideration, it may seem at first glance not-for-profits show the greatest inaction to counter perceived risks. Yet, the audit resources associated with a not-for-profit tend to be far less robust than most public companies.

That being said, the next section demonstrates that not-for-profits are the only segment of companies with a growing number of boards looking to increase both audit frequency and coverage. 13 . This year, despite the growing risks from more prominent concerns, boards do not appear to be interested in making significant changes to their internal audit function. In fact, more than 50% of the board members surveyed, and within every type of organization, are not proposing changes. Further, of those proposing changes, the appetite for each type of change has decreased, in many cases significantly. The outstanding increase, despite a minimal internal audit function, is not-forprofit organizations increasing their audit coverage. “With the increasing impact of technology on a company’s reputation and bottom line, boards may want to steer executives to expand the way they leverage internal auditors – such as operational audits to assess an organization and its products and services to vulnerabilities from emerging risks and concerns – much like they have started to do with social media.” ERIC DIAMOND, CPA Audit Partner, EisnerAmper LLP How is your board addressing identified risks? ALL PUBLIC PRIVATE NfP 2015 2014 2015 2014 2015 2014 2015 2014 Enhancement of staff 22% 32% 29% 44% 23% 28% 15% 21% Outsourcing the entire internal audit process 6% 9% 3% 7% 11% 10% 5% 11% Co-sourcing (using outside resources to supplement internal audit staff) 15% 22% 16% 35% 19% 13% 12% 16% Increased audit frequency 8% 7% 4% 8% 13% 7% 10% 7% Increased audit coverage 20% 24% 23% 33% 16% 28% 22% 14% No changes are being proposed at this time 55% 46% 53% 38% 53% 43% 58% 58% STRATEGIC LEADERSHIP For the second consecutive year, strategic direction is, overwhelmingly, the highest ranked strategic topic being addressed by all types of boards.

It is followed once more by finance and operations. What are the most important strategic topics being addressed by your board? 53% Finance Marketing and Sales Although strategic direction is being addressed by the most boards and has increased in visibility by more than 10% for both not-for-profit and private company boards, it has become a less-pressing topic for public company boards (down 7% since 2014). Finance has increased in popularity by 15% since last year. 44% 31% M&A Strategic Direction 83% 49% Operations Leveraging Int’l 14 17% . Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY There have not been significant changes in the other topics boards are addressing for 2015. PUBLIC PRIVATE NfP 2015 2014 2015 2014 2015 2014 Finance 59% 44% 49% 59% 50% 53% Marketing & Sales 34% 30% 62% 57% 35% 36% M&A 49% 55% 34% 30% 12% 11% Strategic Direction 82% 89% 84% 65% 85% 71% Operations 48% 47% 53% 39% 48% 38% Int’l/Global Resources & Opportunities 18% 23% 27% 24% 7% 9% Similar to last year, internal growth/expansion and business process improvement remain the favorite areas of new investment opportunities. Does the company you serve see new investment opportunities in these areas in 2015? HIGH MEDIUM LOW NOT AT ALL 2015 2014 2015 2014 2015 2014 2015 2014 Internal growth and expansion 41% 38% 35% 35% 18% 18% 6% 9% Business process improvement 36% 28% 40% 48% 19% 18% 5% 7% Strategic staffing 30% 27% 41% 41% 21% 22% 9% 10% M&A or other asset purchases 27% 25% 26% 27% 20% 19% 27% 29% Information technology 22% 23% 45% 37% 15% 29% 18% 11% Social Impact/Sustainability/ Triple bottom line 16% 14% 27% 31% 39% 33% 18% 21% Commercial real estate 11% 10% 13% 15% 18% 19% 58% 56% Would you say your board activities… 57% 45% Focus most on: 21% 84% 20% Should focus most on: 10% 4% 13% n Strategy n Operations n Tactics n Administration To further understand the focus of boards, we polled board members about the topics their boards currently focus most on as well as what they believe they need to focus more on. Well over half of boards focus most on strategy (57%); even so, 84% of board members responded that more time needs to be allocated to the topic. At the other end of the spectrum, 45% of boards focus most on operations, while only 20% of board members feel they need to focus on the topic. 15 . MANAGEMENT While the board may govern an organization and set strategy, management is running its operations and ultimately controls the day-to-day aspects of leading an organization. In other words, management determines how to execute the strategy. With this taken into account, it is paramount for CEOs and CFOs to understand the issues that will impact operations. This is why we ask directors if they feel their CEOs and CFOs have a strong understanding of topics related to risk. In terms of day-to-day leadership and responsibility, tell us more about the role of the CEO and CFO in relationship to… MANAGING WELL NOT MANAGING WELL SHOULD SHOULD HAVE MORE HAVE LESS RESPONSIBILITY RESPONSIBILITY Broad-based risk assessment 81% 78% 9% 12% 10% 13% 4% 2% Risk management 76% 77% 11% 11% 12% 14% 3% 3% Reputations/crisis response 76% 64% 12% 16% 13% 15% 4% 8% Creating financial models for strategic direction 64% 76% 19% 12% 15% 14% 6% 2% Cybersecurity 55% 55% 25% 21% 18% 21% 7% 9% Updates on regulatory compliance changes 78% 74% 13% 9% 8% 12% 4% 8% Changes to tax from new government regulations 69% 83% 14% 4% 8% 10% 12% 6% Aligning business goals to IT 63% 61% 18% 18% 14% 16% 8% 9% Social media 50% 40% 32% 29% 17% 19% 8% 17% 2015 2014 2015 2014 2015 2014 2015 2014 For the past 3 years, cyber and social have been the 2 areas where boards feel that CEOs are not managing as well as others.

The trend continues this year: At least 25% of board members feel that the CEO is not managing these issues well. Yet, they are also the 2 areas where boards feel CEOs should have more responsibility. Creating financial models for strategic direction and aligning business goals to IT are 2 other areas board members identified that CEOs are not managing well. This presents the question: Who really should hold the responsibility for these issues/topics? 16 “When evaluating risks, remember the three Ds: diversity of thought, distribution of capital and disruption of your business. Social media has served as an agent to consolidate all risk into one category.” PETER BIBLE, CPA Chief Risk Officer, EisnerAmper LLP .

Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY MANAGING WELL PUB PRIV NfP NOT MANAGING SHOULD HAVE MORE SHOULD HAVE LESS WELL RESPONSIBILITY RESPONSIBILITY PUB PRIV NfP PUB PRIV NfP PUB PRIV NfP Broad-based risk assessment 89% 84% 67% 5% 4% 19% 5% 10% 18% 2% 4% 4% Risk management 87% 75% 63% 5% 13% 16% 8% 9% 23% 0% 4% 2% Reputations/crisis response 84% 77% 65% 10% 10% 16% 7% 13% 21% 0% 5% 4% Creating financial models for strategic direction 75% 68% 49% 11% 19% 24% 8% 13% 24% 7% 3% 7% Cybersecurity 67% 52% 44% 15% 30% 29% 16% 19% 21% 3% 5% 12% Updates on regulatory compliance changes 90% 70% 76% 5% 20% 11% 3% 11% 9% 2% 3% 6% Changes to tax from new government regulations 73% 70% 67% 13% 12% 15% 11% 8% 6% 4% 15% 15% Aligning business goals to IT 74% 58% 57% 13% 18% 25% 10% 15% 19% 5% 11% 4% Social media 52% 48% 45% 26% 36% 35% 20% 13% 20% 6% 11% 5% This year our survey delved deeper into the disposition of the boards on which the respondents serve. Term limits, age limits and diversity goals have been approaches used to minimize “group think” and reduce risk, among other objectives. How has this been addressed by your board? Do you agree with employing these methods? What other approaches has your board employed to reduce risk through its director profile? TERM LIMITS AGE LIMITS DIVERSITY GOALS ALL PUB PRIV NfP ALL PUB PRIV NfP ALL PUB PRIV NfP Yes 22% 3% 16% 49% 14% 30% 10% 0% 32% 32% 23% 42% Yes, for some time 12% 5% 10% 20% 4% 10% 3% 0% 18% 18% 8% 27% Yes, but soon may change 1% 0% 0% 0% 0% 0% 0% 0% 1% 3% 0% 0% No 61% 82% 69% 31% 76% 53% 82% 95% 41% 38% 59% 27% No, but they did exist 2% 2% 0% 2% 1% 2% 0% 2% 1% 2% 0% 0% No, but this may change 6% 10% 6% 2% 6% 8% 4% 2% 8% 10% 11% 5% 17 . Overall, the boards represented do not employ term limits. However, 75% of directors support employing this measure. Not-for-profits seem to be the most progressive incorporating limits and quotas to minimize group think and reduce risk. PUBLIC COMPANY BOARDS PRIVATE COMPANY BOARDS NOT-FOR-PROFIT BOARDS 94% do not have term limits 75% do not have term limits 35% do not have term limits 62% do not have age limits 86% do not have age limits 100% do not have age limits 47% do not use diversity goals 30% do not use diversity goals 30% do not use diversity goals The board members seem to understand the potential risks of not using limits, yet many seem to be hesitant to address this concern. Christopher Clark with the National Association of Corporate Directors says, “The board needs first to understand and subsequently to be a driving force regarding the myriad distinctions among people in the workplace and the mechanics of unconscious bias.

Keying the c-suite and all employees in to how people think results in more egalitarian behaviors across the entire enterprise; thus mitigating risk to varying degrees.” We queried the respondents about other approaches that have been utilized by boards to reduce risk through the director profile, and the majority of respondents cited “experience.” How would you define your board’s understanding of key issues facing the organization? WELL-VERSED TRY TO STAY EDUCATED SOME ARE BETTER THAN OTHERS FALLING SHORT ALL PUB PRIV NfP ALL PUB PRIV NfP ALL PUB PRIV NfP ALL PUB PRIV NfP Cybersecurity 14% 24% 13% 3% 38% 35% 43% 37% 38% 34% 33% 47% 14% 10% 15% 17% Social media 6% 7% 5% 9% 32% 29% 38% 29% 49% 46% 47% 53% 16% 19% 14% 16% Reputational issues 43% 52% 39% 37% 38% 38% 36% 37% 18% 10% 22% 25% 3% 0% 4% General business strategy 64% 87% 65% 34% 22% 8% 25% 34% 13% 3% 10% 24% 4% 2% 1% 10% Compliance 43% 67% 39% 32% 34% 26% 40% 32% 23% 8% 22% 39% 2% 0% 0% 18 3% 5% . Concerns About Risks Confronting Boards SIXTH BOARD OF DIRECTORS SURVEY Reputational risk is a severe threat to all companies: large and small; public, private and not-for-profit. Yet, time and time again, responses from board members indicate that reputational risk is so broad in scope – highly impacted by other risks like financial, product, cyber and more – it is difficult to sufficiently address and prepare for types of reputational threats. While companies are beginning to take the proper steps to prepare for a reputational crisis by having plans in place, providing training and employing an internal audit function, less than 50% of respondents feel they are “well-versed” in the issues. 19 “Board members have once again clearly identified many of their continuing concerns – cyber, reputation, strategy to name just a few. It is interesting to note that each of their concerns is impacted in a major way by the accelerating pace of change that all companies are experiencing.

To fulfill their commitments to their stakeholders, board members need to understand this accelerating pace of change and ensure that their organizations are informed, educated and forwardfocused.” CHARLES WEINSTEIN, CPA Chief Executive Officer, EisnerAmper LLP . ABOUT EISNERAMPER EisnerAmper is one of the premier full-service largest accounting firms in the nation and serves clients around the globe. The firm is also one of the nation’s leading auditors of SEC registrants and maintains one of the largest public company practices of any independent firm, providing services such as audit, tax, internal audit, pension audit, and/or consulting to more than 200 public companies. With nearly 1,200 employees, including 180 partners, the firm provides services to diverse enterprises including sophisticated financial institutions, global public corporations, and middle-market companies as well as family offices, not-for-profit organizations, and entrepreneurial ventures across a variety of industries. EisnerAmper‘s knowledge of the capital markets helps clients seeking advice on issues such as mergers and acquisitions, debt financing, IPOs, due diligence, valuation, international expansion and restructuring. The firm provides a comprehensive set of services to high net worth individuals and families, including tax planning and compliance, investment planning, international wealth advisory services, risk management, trusts and estate planning, cash flow and asset protection planning. EisnerAmper professionals have significant breadth and depth of knowledge in key service areas including consulting services comprised of internal audit, risk management, information technology and compliance.

Other primary service lines include business and asset valuation, international tax, benefit plan audit, litigation and forensic accounting, bankruptcy and insolvency and royalty audit. EisnerAmper has deep expertise providing audit, tax and advisory services to clients in major industry groups including life sciences, clean tech, technology, digital media, sports and entertainment, health care, real estate, construction, not-for-profit, manufacturing, automotive, distribution and retail. Through various avenues, such as EisnerAmper Cares, the Women of EisnerAmper and employee affinity groups, EisnerAmper employees are encouraged and supported to make a difference through volunteer projects and community service. Engage with EisnerAmper! www.eisneramper.com Follow: Like: Link: Follow: Watch: Write: survey@eisneramper.com 20 . Concerns About Risks Confronting Boards CONTACTS SIXTH BOARD OF DIRECTORS SURVEY MICHAEL BREIT, CPA STEVEN KREIT, CPA Partner-in-Charge Audit and Assurance Services EisnerAmper LLP 212.891.4089 michael.breit@eisneramper.com New York Partner-in-Charge Technology and Life Sciences Groups EisnerAmper LLP 212.891.4055 steven.kreit@eisneramper.com Michael Breit is Partner-in-Charge of the firm’s Sports and Entertainment Group as well as Audit and Assurance Services. He is also a leader in the Public Companies Group and a member of the firm’s Executive Committee. Prior to joining the firm, he was a Partner at a Big 4 firm. Steven Kreit is Partnerin-Charge of the Life Sciences Group and Technology Group in New York and a member of the firm’s audit team. Steven’s experience benefits his clients throughout their entire lifecycle: from emerging entities through growth stages and transactions as well as maturity. His experience spans his years at EisnerAmper as well as a Big 4 firm. Michael has extensive Securities and Exchange Commission experience and has been involved in the initial public offerings of several premier broadcasters and cable TV operators. Michael has also participated in numerous due diligence efforts relating to the formation of programming ventures and acquisition of sports franchises.

In addition, he possesses significant retail experience, having served many retailers throughout his career. As a Certified Fraud Examiner, Michael has led cable TV defalcation investigations and has served as an expert witness in several arbitration and litigation matters. Steven brings more than an outsider’s perspective: He has been engaged as an acting CFO for a publicly traded firm as well as a pro bono advisor to early stage start-ups. He also serves on the Board and Executive Committee of a not-for-profit entity; and is currently its Treasurer. Steven’s work is well-respected by colleagues and financial executives.

His analysis of accounting and risk-related topics is regularly quoted in professional publications and he is frequently engaged to speak to a range of audiences. An active community member, Michael serves as Treasurer and Director of WISE (Working in Support of Education), a leading New York City based not-for-profit dedicated to serving educational needs. ©2015 EisnerAmper LLP. All rights reserved. www.eisneramper.com 21 .

www.eisneramper.com .