SEC Filing | Iteris Inc

View:

Download DOC

Download PDF

November 12, 2004

VIA EDGAR AND FEDERAL EXPRESS

Securities and Exchange Commission

450 Fifth Street, N.W.

Mail Stop 4-6

Washington, D.C. 20549

Attn: Ms. O. Nicole Holden and

Mr. Robert Benton

Re: Iteris, Inc., formerly known as Iteris Holdings, Inc.
Form 8-K filed October 12, 2004
(File No. 010605)

Dear Ms. Holden and Mr. Benton:

We are in receipt of the comments of the Staff of the Securities and Exchange Commission (the “Commission”) set forth in your letter dated October 28, 2004 (the “SEC Comment Letter”) regarding the above-referenced Form 8-K of Iteris, Inc., a Delaware corporation formerly known as Iteris Holdings, Inc. (the “Company”). We are concurrently filing with the Commission an amendment to such Form 8-K (the “Amendment”) on behalf of the Company.

The numbered responses set forth below contain each of the Staff’s comments set off in bold type and correspond to the numbered comments contained in the SEC Comment Letter. All factual representations in this letter are based upon information provided to us by the Company.

1. Refer to the third paragraph. You state that there were no disagreements with E&Y through September 30, 2004. You state that you notified E&Y on October 5, 2004 of their dismissal. Tell us, and revise your filing as applicable, if there were any disagreements with E&Y in the interim periods from September 30, 2004 and through the date of their dismissal on October 5, 2004.

Please be advised that there were no disagreements with E&Y in the interim period from September 30, 2004 through October 5, 2004 either. The Company is concurrently amending its Form 8-K to state that no disagreement between the Company and its auditors existed during that period.

2. Provide us with any letter or written communication to and from the former accountants regarding any disagreements or reportable events to management or the Audit Committee.

The Company is supplementally providing the Staff with a copy of the Company’s 2004 management letter, which includes the Company’s formal response to this management letter. There was an informal email draft response to E&Y, but the foregoing final management letter contains the Company’s formal response to this letter.

3. To the extent that you make changes to the Form 8-K to comply with our comments, please obtain and file an updated Exhibit 16 letter from the former accountants stating whether the accountant agrees with the statements made in your revised Form 8-K.

The Company is concurrently amending the Form 8-K as requested and is filing an updated Exhibit 16 letter from Ernst & Young LLP. The Company has discussed this matter with E&Y and they have advised the Company that they concur that no disagreement existed between the Company and Ernst & Young LLP prior to September 30, 2004, or from September 30, 2004 until the date of E&Y’s dismissal on October 5, 2004.

Form 10-K for the year ended March 31, 2004

Item 9A, page 25

Refer to the Item 4.01 Form 8-K and the reportable condition communicated to you by E&Y, LLP. Tell us how you were able to provide true and accurate Item 9A disclosures regarding Controls and Procedures in your Form 10-K. The reportable condition disclosed in your Form 8-K appears to indicate you may lack the necessary disclosure controls and procedures, as well as internal controls necessary to provide true and accurate Item 9A disclosures. Please advise.

The Company advises the Staff that it does not believe that the stated reportable condition constitutes a material weakness in the Company’s internal controls. In addition, the Company continues to believe that its disclosure controls and procedures were effective in timely alerting them to the material information relating to the Company. The Company is a small corporation and its management team was actively involved in the preparation of the Company’s public reports.

As stated in the Company’s response to E&Y, the Company believed that the delays in the reporting process giving rise to the reportable condition were primarily the result of (i) transitional issues related to the replacement of the controller of the Company with the controller of the Iteris subsidiary and the subsequent promotion of that controller to the Company’s chief financial officer; (ii) the Company’s recent divestiture of multiple business units and reorganization of the Company’s business, and (iii) the travel schedules of key management during the audit and review process.

Please be advised that the Company’s independent auditors met with the Company’s Audit Committee in connection with their audit of the 2004 financial statements and informed the Company’s Audit Committee that they were not aware of any material weakness in the Company’s internal controls at that time. When E&Y subsequently delivered the management letter to the Company, E&Y confirmed that they were not alleging that the reportable condition represented a material weakness in the Company’s internal controls. The Company believes that the delays in the reporting process were due to unusual circumstances at the time and do not represent either a material weakness in the Company’s internal controls or its disclosure controls and procedures.

5. Also, we note from the Form 8-K that management has already considered potential enhancements and taken steps to enhance the Company’s internal controls and procedures that address the issues raised by E&Y. Tell us the dates of these potential enhancements and additional steps taken, and why you did not disclose any changes to internal controls under Item 9A or revise Item 9A as necessary.

Please see the management responses to E&Y in the management letter, which detail the specific enhancements that the Company has taken or plans to take with respect to the recommendations of E&Y set forth in their management letter. Since receipt of the management letter in late September 2004, the Company has implemented its Close Process Review Matrix, Close Process Task Matrix, and the Quarterly & Year End Timelines and has established a Disclosure Committee to supplement its current disclosure procedures and controls. The Disclosure Committee has already met in connection with the Company’s Quarterly Report on Form 10-Q for the quarter ended September 30, 2004. The Company’s new chief financial officer has completed the transition to his new role and has been working closely with the Company’s new auditors to ensure that no further delays are experienced. Please note, the Company’s management did not have E&Y’s management letter at the time of the 10-K filing and believed its existing internal controls were adequate at that time.

* * * *

Please be advised that the Company acknowledges that (i) the Company is responsible for the adequacy and accuracy of the disclosures in its filings; (ii) that the Staff comments or changes to disclosure in response to the Staff’s comments in the filings reviewed by the Staff do not foreclose the Commission from taking any action with respect to the filings; and (iii) the Company may not assert the Staff’s comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws of the United States.

Any comments or questions concerning this matter or the Amendment should be directed to the undersigned at (949) 932-3670.

Thank you for your assistance in this matter.

Very truly yours,

DORSEY & WHITNEY LLP

By: Ellen S. Bancroft

bcc:         Mr. Gregory A. Miner
                Mr. Jack Johnson
                Mr. Jim Miele

Iteris Management Letter

Attachment to Iteris, Inc. Letter dated November 12, 2004

Audit Committee
Iteris Holdings, Inc.

In planning and performing our audit of the consolidated financial statements of Iteris Holdings, Inc. (“Iteris” or “The Company”) for the year ended March 31, 2004, we considered its internal control to determine our auditing procedures for the purpose of expressing our opinion on the consolidated financial statements and not to provide assurance on internal control. However, we noted certain matters involving internal control and its operation that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of internal control that, in our judgment, could adversely affect the organization’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the consolidated financial statements.

Financial Statement Close Process Deficiencies

The length of time required by the Company to close its books and issue its consolidated financial statements is excessive given its status as a public company. The fiscal 2004 year-end close process, which included the preparation by the Company of account analysis and schedules and the creation and recording of adjusting journal entries, continued until the filing of the Annual Report on Form 10-K on June 29, 2004, the last day before an extension would have been required.

The Company’s ability to close its books timely and effectively prepare for its annual audit was also significantly impacted by an apparent lack of communication of important transactions that occurred during the period to the Company’s Controller. This situation led to matters being identified at or near the filing of the Company’s Form 10-K, which left little time for the Company’s finance department to appropriately analyze such items for accounting purposes, without significant assistance from its professional service providers.

During the financial statement closing process the Company did not prepare nor maintain a detail listing of the required reconciliations and account analyses needed to close the books that also noted the responsible persons for preparing and reviewing each schedule and the agreed-upon due dates for preparation and review. This task, time, and responsibility (TTR) schedule is a normal control tool. In lieu of a TTR schedule, the Company generally used our audit request schedule for such purpose.

Delays in the closing of the books and completing account reconciliations and analyses in a timely manner and the continuous recording of adjusting entries and accruals through the date of the filing of the Form 10-K caused inefficiencies for the Company, its professional service providers and all others involved in the financial statement preparation and review process. Importantly, they also increase the risk of financial statement error due to the limited time available for the review and analysis of the financial information and related reporting documents. The Company’s ability to compile its consolidated financial statements and related

reports was delayed pending closure of the accounts and finalizing the adjustments, which resulted in the need for its professional service providers to be at the printers on the final day to get the Company’s Form 10-K filed.

The effect of the Company’s inability to timely and accurately close its books during our audit was delayed and additional effort was required due to significant inefficiencies. These increased hours resulted from staffing changes, significant rework of account reconciliations and analyses, and the need to audit a “moving target.”

Accordingly, we recommend the Company:

• Establish a much more formal financial statement closing schedule including dates by which general ledgers will be closed (including (1) the recording of all quarterly and year-end accruals and (2) the completion of all account analyses, reconciliations and recording of necessary adjustments, consolidation completed (including elimination entries), and draft consolidated financial statements prepared;

• Maintain strict adherence to the closing schedule to enhance the quality of the Company’s financial reports and ensure that the Company achieves its earnings release and SEC filing objectives and deadlines;

• Create and fill the staff position of Financial Reporting Manager, who would be responsible for all external and internal reporting of financial information and related reports with the SEC and others. This individual should have the requisite training and experience to have primary responsibility over the preparation and review of the Company’s quarterly and annual financial statements as well as other required filings with the SEC;

• Ensure that senior management emphasizes the importance of an effective internal control environment and insists upon timely, accurate financial reporting;

• Develop and implement a comprehensive financial reporting quality control checklist detailing all preparation, review and approval activities for quarterly and annual reporting requirements. Individuals responsible for each activity on the checklist should be required to signify the performance of each activity for each filing;

• Ensure that transactions entered into by the Company are communicated to financial personnel responsible for maintaining the Company’s books and records, including preparation of SEC filings, in a timely manner.

Shareholders and others expect timely and accurate financial reporting and the securities laws require registrants to provide it. Furthermore, filing deadlines for the Company would be

significantly shortened in the event the Company becomes an accelerated filer, requiring processes and procedures to be designed with consideration of meeting the tightened deadlines. Implementation of the recommendations outlined above should enable the Company to drastically improve the timeliness and quality of its periodic financial reporting.

Management Response:

Fiscal 2004 was an important transitional year for Iteris on a number of levels:

• The Company completed the divestiture of its Broadcast, Zyfer, and MAXxess Systems subsidiaries, and began unwinding most of its foreign operations.

• The Company underwent a major restructuring from a multi-divisional entity operating in several markets with multiple general managers and related profit centers and highly diverse and complicated accounting issues to one where the business is comprised of a non-operating parent company and a single operating subsidiary.

• The Company transitioned all consolidated accounting and reporting services from a previous team located at the Parent company, to a team located at the operating subsidiary level of Iteris, Inc. In connection with this transition, the previous controller who had been with the company for approximately 20 years resigned, and Jim Miele was given full charge Controllership responsibility for both the parent and subsidiary.

• The Company’s accounting staff was faced with significant challenges related to the hand-off of accounting transactions and files in order to effect the transition to the subsidiary. The accounting staff and Controller responsible for interface with E&Y had been responsible for closing the books of the consolidated entity for only the final three months ofFiscal2004.

As a result of the transitional challenges outlined above, fiscal 2004 was a uniquely challenging year for the Company. The Company acknowledges that this also created a challenging year for E&Y. The silver lining to this transitional year was that the Company’s organizational structure and the related accounting and reporting structures are dramatically simplified going forward. The stage has been set for the implementation of additional accounting processes and organizational strength, which will dramatically build upon the new structure going forward.

Comments Regarding the Fiscal 2004 Close and other Observations by E&Y:

The Company closed its books for March 31, 2004, by the end of April 2004. When E&Y arrived on approximately May 17 to begin fieldwork, they were delivered a disk containing the preliminary trial balances of both Iteris Holdings and Iteris, Inc., in addition to a number of accounting schedules required for the audit. The Controller indicated that there were additional posts closing entries to come. The Controller also indicated that he was leaving for 2 weeks beginning May 20. The occurrence of the post closing entries was largely a direct outcome of the transitional issues faced in fiscal 2004.

The closing process of the Company yields a preliminary trial balance approximately 5 to 7 business days following the end of each month. Quarter-end and year-end periods are slightly longer to enable stronger cut-off for accounts payable. During the Fiscal 2004 period, the company used detailed checklists for the entries and analysis of each account area subject to close, but as noted by E&Y, these checklists did not provide for sign-off by the related personnel. Because of a relatively limited number of people in the accounting department, the company relied on its detailed knowledge of which personnel were responsible for each task. This process has been improved as noted below.

The closing process and, more importantly, the work of E&Y were negatively impacted by the travel schedule of the Company’s new Controller during the audit. E&Y arrived to begin fieldwork on approximately May 17 and the Controller was out of the country between May 20 and June 3. This was an unfortunate circumstance that hindered the Company’s and E&Y’s work scheduled.

The management comment letter from E&Y states that the Company relied on the CPS schedule to complete its closing process. This statement should be clarified. The Company used E& Y’s CPS schedule to complete specific analyses that E& Y needed to complete its audit procedures, but the company maintains subsidiary records and schedules in other formats to complete its closing process. The Company also acknowledges that these schedules can be improved, and as noted below it has undertaken to complete such improvement.

The management comment letter from E&Y states that there was an apparent lack of communication of important transactions during the year that the Controller needed to correct at year-end. Poor communication from the transition accounting team including the prior Controller of the Company was a reality. Fortunately this problem is self-corrected with the completion of the transition and the replacement of the prior Controller with the new Controller (recently promoted to CFO). Furthermore, the new business organization of a single operating entity and other changes as noted below dramatically reduces this issue moving forward.

The Comment letter refers to “recording of adjusting journal entries, continued until the filing of the Annual Report.” We believe that E&Y is referring to a single reclassification entry recorded at the printer to reclassify “inventory” to “other” assets. The Company had agreed to record this entry to the working trial balance maintained by E&Y prior to arriving at the printer, but it came to the collective attention of E&Y and the Company that the entry had not been recorded to the final trial balance. This was an unfortunate circumstance.

Comments regarding E& Y’s Recommendations:

• Comment: Establish a more formal financial statement-closing schedule.
Response: The Company has made significant steps in this process. We have now created a “Close Process Review Matrix,” a “Close Process Task Matrix,” and the “Quarterly & Year-End Timelines.”

• Comment: Maintain strict adherence to the closing schedule.
Response: The Company’s current schedule comprehends an 8-day close. Our goal is to move this to a 5 day close. Quarter and year-end periods will be slightly longer given increase complexity and reliance on stronger cutoff procedures.

• Comment: Create and fill position of Financial Reporting Manager.
Response: The Controller was appointed to CFO. The position of Controller and Financial Reporting Manager is currently being recruited.

• Comment: Ensure that senior management emphasize the importance of an effective internal control environment and insist on timely reporting.
Response: We believe this is inherent in the new organizational structure.

• Comment: Develop and implement a comprehensive financial reporting quality control checklist detailing all preparation, review and approval activities for quarterly and annual reporting requirements.
Response: The Company’s plan is to incorporate these features into the new “Close Process Task Matrix.”

• Comment: Ensure that transactions entered into by the Company are communicated to financial personnel responsible for maintaining the Company’s books and records, including preparation of SEC filings.
Response: The Company is undertaking steps to form a separate internal “Disclosure Committee” made up of senior management from each area of the business. This committee will meet quarterly to review with the CFO all business transactions entered into during the prior meeting which may have potential consequences on financial reporting and disclosure.

************************

In addition to the reportable conditions described above, we have provided comments on other matters in Attachments A, B and C to this letter.

This report is intended solely for the information and use of the audit committee, management, and others within the organization and is not intended to be and should not be used by anyone other than these specified parties.

We would be pleased to discuss the above matters or to respond to any questions, at your convenience.

June 8, 2004

Attachment A

The following summarizes the accounting and internal control observations for Iteris, which were made during the conduct of our audit. Included is a detailed description of each observation presented, including a brief discussion of the current state, recommended action, and management’s response, including corrective action taken or in process.

Internal Controls

The Company does not have appropriate segregation of duties over the accounts payable (AP) process. For example, AP checks are prepared and reconciled by the same person and the accounting manager can approve credit, issue checks and void checks.

Both the preparer and the reviewer do not sign off on bank reconciliations. By not signing off on the reconciliation the reviewer is not documenting his/her review and the completion of this critical control.

Certain employee time cards reviewed during our test of controls over the payroll process were not signed by the employee’s direct supervisor, but were instead signed by an individual in the accounting department.

Recommendation:

Review the AP and all other significant accounting processes to identify any inappropriate segregation of duties and re-allocate tasks and responsibilities so that these are eliminated.

Both the preparer and the reviewer of all reconciliations, bank, accounts payable, accounts receivable etc., should sign the reconciliation to ensure proper documentation of the task. This is even more important as the Company looks to become compliant with the rules and regulations imposed by Section 404 of the Sarbanes- Oxley Act.

To ensure that the appropriate level of review and approval of time worked by employees is completed, all time cards should be signed off by the employee’s immediate supervisor or other delegated person.

Management Response:

It is agreed that the Company has been deficient in the review of bank reconciliations and is in the process of implementing a formal review process.

The Company has very sound controls over the accounts payable function in light of not being able to obtain optimal segregation of duties because of cost considerations. While it is true that

the AP Clerk prepares and maintains checks, the accounts payable ledgers are reconciled to the general ledger by the Accounting Manager and over the course of the last few quarters, no material reconciling items have been noted. In addition, the Company’s Accounting Manager cannot issue checks. Should the need arise to prepare a check that is not evidenced by and invoice and a purchase order, the Company has a manual check process which provides that the Company’s Controller approve all checks of this nature. Should a manual check be prepared without Controller approval, the Accounting Manager nor the AP Clerk have check signing authority, making it very difficult to perpetrate fraud involving AP.

In many instances, timecards are not signed by an associate supervisors, however, the Company provides electronic reports available on its internal network to all managers, which include a variety of labor information by associate (i.e., Labor hours by department, project etc). The Company feels that having these reports available to its managers, on a weekly basis, mitigates the need for physical review of timesheets. Additionally, the Company has considered the use of electronic signatures on timesheets and electronic reviews, which would eliminate the need for physical signatures entirely.

INVENTORY

During the completion of the physical inventory observation, we noted that the warehouse appeared to be too small for the level of inventory on hand and that certain high dollar inventory items were on the floor and unlabeled.

The Company had no formal process for the identification of excess and obsolete inventory and the calculation of reserves for such inventory.

Recommendation:

At a minimum, inventory should be tagged prior to counting to ensure that all inventory items are identified and counted. Better security and storage should be provided for the higher dollar inventory items. The Company should consider performing quarterly or monthly cycle counts to ensure that any inventory issues relating to the quantity on hand are identified and resolved in a timely manner.

The Company should develop a formal month-end process for the identification of excess and obsolete inventory and the calculation of the reserves to be recorded relating to such inventory.

Management Response:

Subsequent to the 2004, physical inventory the Company moved its warehouse from 1585 S. Manchester to 1515 S. Manchester at its Anaheim facility. The new facility provides better control and more space for the Company’s inventory and, therefore, should address the issues raised by the Company’s auditors

The Company is however, unclear of the meaning of “unlabeled” inventory. The majority of the Company’s inventory is pre-packaged and received from contract manufactures and most, if not all, the inventory is identified by a product number on the external packaging, on the actual PCB, or on the inventory item. The Company does not necessarily label boxes or ultimate locations where inventory items eventually reside. It is also possible the Company was in the process of “receiving” certain inventory items during the physical inventory giving the appearance that items were “on the floor. “ With this in mind, the Company has noted these comments and will review the overall maintenance and safeguarding of inventory items with the Company’s Inventory Manager.

The Company currently does not “tag” inventory items as part of its year-end physical inventory process. The Company will review its process at year-end and evaluate the need for “tags. “ In addition, the Company has been and currently performs cycle counts of its inventory. However, this process and these counts have not been documented by the Company. Accounting will consider formally documenting the process in the current fiscal year.

A formal process was developed for the identification of excess and obsolete inventory at March 31, 2004. The process provides that the Company review its inventory quarterly and was agreed to by Ernst & Young LLP as part of the year-end audit.

ACCOUNTS PAYABLE

The Company dates checks on the date that the check run is completed. However, there is usually a one-day lag prior to the check being cut and mailed, leading to a reduction in the bank balance and AP balance one day prior to the checks being physically issued.

Recommendation:

The Company should cut and mail checks on the date that they perform check runs to avoid the one-day lag and incorrect reduction in the AP and bank balances in the GL.

Management Response:

It is generally not feasible for the Company to actually mail checks the same day they are cut. The Company’s process requires matching each check with invoices and receiving reports, which is an extremely time consuming task. In addition, signatures are required on all checks and checks > $5, 000 require two signatures. On any given check run, appropriate check signors might not be available and, therefore, checks may be held until proper signatures can be obtained. With this in mind, the Company often cuts checks before they are actually due to our vendors in order to ensure that the cash disbursement process is properly followed and payments are within terms.

PROPERTY, PLANT & EQUIPMENT

• The Company has a number of fully depreciated assets on the current fixed asset ledger.

• The Company uses the double declining method for calculating depreciation on fixed assets.

• The Company does not have an effective software package for tracking fixed assets.

Recommendation:

Fully depreciated assets should be evaluated to determine if they should be written off.

The Company should consider utilizing the straight-line method for depreciating assets. The straight-line method is a much simpler and more commonly used method for depreciation.

The Company should purchase a newer software package to track fixed assets that will allow them to obtain the reports and analysis that they need to complete monthly, quarterly and annual financial reports and analyses. The Company should also consider performing a full physical inventory of its fixed assets given the recent dispositions of business units and consider the use of bar codes to “tag” fixed assets which have been identified so that they can be easily tracked in the fixed asset ledger and identified in the future.

Management Response:

Agreed. The Company will consider writing-offfully deprecated assets, using the straight-line method for calculating depreciation, performing a physical inventory of our fixed assets and upgrading of the fixed asset software package.

STOCK OPTIONS

During the audit the Company identified certain warrants and option grants to non-employees that had previously not been identified and accounted for correctly, which required very late adjustments to be booked into the financials for fiscal 2004.

The Company currently does not have a stock option software package to assist in the processing, tracking and accounting for stock option and warrant activity.

Recommendation:

The Company should develop an effective process, which includes a monthly review of warrant, and option activity, to ensure that such items are properly accounted for.

The Company should consider utilizing a software package such as Equity Edge or a similar package, to use in the processing and tracking of stock option activity. This software also provides the Company with the relevant FAS 123 pro-forma expense calculations and information for the appropriate FAS 123 footnote disclosures. As the FASB is currently considering whether to require the expensing of value of stock options, the Company should ensure that the software package they use can handle the proposed new rules as well as the current rules to avoid the software being made obsolete.

Management Response:

Agreed. The Company will develop a formal process to review warrant and option activity to ensure that all grants and exercises are properly accounted for. Additionally, the Company is in the process of evaluating software packages such as Equity Edge and others in an effort to find the right tool to assist the Company in tracking and reporting options and warrant activity.

ADDITIONAL TESTING OF INTERNAL CONTROLS IN FUTURE AUDITS

The SEC’s rules for implementing the provisions of Section 404 of the Sarbanes-Oxley Act of 2002 requires management’s report on its assessment of internal control over financial reporting and our related attestation report to be included in the Company’s annual report for the year ended March 31, 2006 (or the year ended March 31, 2006 if the Company is considered an accelerated filer)). Accordingly, our 2006 (or 2005) audit will be an integrated audit in which we will issue an opinion on both the Company’s financial statements and management’s assessment of the effectiveness of internal control over financial reporting.

In our audit of the Company’s 2004 financial statements, we considered the Company’s internal control only to determine our auditing procedures for expressing an opinion on the financial statements, and not to provide assurance on internal control. Our consideration of internal control for the limited purpose of determining the nature, timing, and extent of our auditing procedures to express an opinion on the Company’s 2004 financial statements would not necessarily disclose all deficiencies in internal control over financial reporting. In connection with our audit of internal control over financial reporting as of March 31, 2006, we will be required to test controls over all significant accounts and disclosures, which necessarily will involve testing controls in more areas than in previous audits, and testing those controls more extensively.

Areas where our testing of controls will be expanded in future audits include, but are not limited to, the following:

All significant non-routine and estimation processes, including the Company’s process for calculating the provision for income taxes and developing related disclosures.

• Financial statement close process, including the process for initiating, processing, and recording standard and non-standard journal entries.

• Information technology general controls, such as controls over program changes and access to data files.

• Entity-level controls, including programs and controls designed to prevent, deter, and detect fraud.

• Processes that previously were subjected to testing on a rotational rather than annual basis.

Because management will be required to document, test, and assess the Company’s internal control over financial reporting and we will be performing additional tests of internal controls, control deficiencies might be identified in 2006 that were not identified in 2004 or prior years. Each of any such control deficiencies, whether identified by management, internal audit, or us, will need to be evaluated, both individually and in the aggregate, to determine whether any significant deficiencies or material weaknesses exist. As a result, there is an increased likelihood that a significant deficiency or material weakness in internal control over financial reporting could be identified in 2006.

Preparing for Internal Control Reporting under Section 404 of the Sarbanes-Oxley Act:

The Public Company Accounting Oversight Board has issued an auditing standard, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, which provides guidance that independent auditors should follow in conducting and reporting on the results of an audit of internal control over financial reporting. In addition, the Standard acknowledges the responsibilities that management is required to fulfill for us to satisfactorily complete the audit of internal control.

Management needs to be actively involved in and direct and take responsibility for the overall documentation and assessment process, including determining which controls should be documented and tested. In addition, management has final responsibility for determining that the procedures performed provide a sufficient basis for its assessment.

Our audit of internal control over financial reporting as of March 31, 2006, will include an evaluation of the adequacy of management’s assessment process. Inadequate documentation of the design of controls would be considered a deficiency in the Company’s internal control over financial reporting. This documentation deficiency would need to be evaluated to determine whether it represents a significant deficiency or material weakness.

Based on our observations and discussions with company personnel, we have concerns about the current status of management’s assessment process, including the availability of adequately qualified internal resources to complete this process.

We recommend that management establish a plan and timeline for compliance with Section 404 of the Sarbanes-Oxley Act no later than December 31, 2004, and plan to substantially complete the documentation of processes and controls by June 30, 2005, and substantially complete the initial evaluation and testing of those controls by then with the remaining effort to be completed no later than September 30, 2005, to provide as much time as possible in the remainder of the year to address any identified control deficiencies, and sufficient time for us to test controls, including any new or modified controls as necessary, prior to the end of the year.

Management Response:

The Company clearly understands the need to begin documenting and testing to be compliant with Section 404. Over the course of the next quarter the Company intends to identify resources to perform the 404 work and begin the planning process with the goal of having the documentation portion completed by June 30, 2005, and our internal testing completed by September 30, 2005.

Attachment B

In conjunction with our audit of the financial statements of Iteris for the year ended March 31, 2004, we performed a review of general computer controls including logical security, user access administration and application change controls over the information resources. The review was designed to identify and evaluate the effectiveness of the existing policies, procedures, and controls in the information technology (IT) environment. The review assists in determining the nature, timing and extent of our audit procedures in order to provide an opinion on the material fair presentation of the financial statements when considered as a whole.

DISASTER RECOVER PLANNING/BUSINESS CONTINUITY PLANNING
(Carried over from FY 2003)

We noted that the Company has a disaster recovery plan (DRP), however the Plan has not been tested nor updated in the past several years.

A disaster recovery plan will prepare the organization for and assist in the recovery of systems which support critical business processes should a disaster or significant disruption occur. Without having an updated plan, there is risk that the organization will not be able to recover the systems that support critical business processes in a timely manner that could result in financial loss. Additionally, without performing regular testing on the Plan, there is an increased risk that the Company may not be able to recover critical operations in a timely manner following an unplanned processing disruption.

Recommendation:

The Company should review the plan thoroughly for completeness and adequacy and update, as needed, especially after the selling of some divisions in the past years. For any section with a blank or incomplete information, if there are procedures that have been developed and are available, they should be imported into the plan; otherwise, the procedures have to be identified and documented and made available in all copies of the plan.

In addition, the Plan has to be tested at a minimum annually and the test results and relating details of each test have to be documented in the Plan for future reference.

Management Response:

The Company is aware of this situation and will present your recommendations to upper management. Additional resources and time will have to be provided to accomplish this task.

USER ACCESS ADMINISTRATION

During our review on the user access administration, we noted the following areas where improvement could be made to enhance the administration over user access to the system:

Inactive/Unused Accounts

We identified 4 regular user accounts in the VMS system that have not logged in for 90 days or more. Additionally, we identified 28 regular accounts that have never logged in for over 90 days (inactive) including the default Guest account and 32 regular accounts that have never been used since the accounts were created.

Excessive Access to the System

During our review, we noted that there were 3 Cincom users who were granted access to the menu functions that they do not need in order to perform their jobs. Additionally, we also noted one accounting user who has already transferred to another division, Maxxess, but still had the VMS privilege access such as the SETPRV that allows the user to enable any or all privileges and BYPASS that allows the user to override all protection.

Inconsistent monitoring and review over system access may result in inappropriate active accounts and privileges, which may lead to unauthorized access to key systems and application data.

Likewise, if users are assigned attributes and rights greater than they need, they will have access to unnecessary system resources and functions via the permissions and rights associated with this user ID. Failure to appropriately restrict and/or remove access to specific functions required by each end user increases the risk of unauthorized users intentionally or unintentionally modifying financial data.

Recommendation:

In order to continue strengthening the controls for administrating and monitoring user access, we recommend the following:

• The Company should implement a procedure that requires periodic review of user access. Accounts with no activity should be investigated further and removed or disabled if not required.

• The Company should remove or rename the default Guest account in the Windows 2000 system. Users requiring temporary access should be assigned a pre-expiring account that is automatically disabled after a specified time period.

• The system administrators should distribute a listing of users with their respective access rights to user management for their review. Changes should be communicated to the system administrator in writing. Necessary changes should be made immediately.

Management Response:

The Company has implemented a monthly review of user access and will take appropriate action. The Windows 2000 Guest account has no access to networked privileged shares. The Company has implemented accounts tracking to disable existing accounts when associates get terminated.

WINDOWS 2000 - PASSWORD MAINTENANCE
(Carried over from FY 2003)

As part of our audit, we reviewed the account policy configuration of the Windows 2000 network operating system. We noted that passwords are not set to expire periodically, minimum password is set to 0 that allows the user to change the password immediately, and the password history is set to 0 which allows users to use the previously used passwords.

Passwords are an essential component of logical security that directly affects the integrity of the computing systems that support the Company. In order to provide an adequate level of protection against accounts being used in an unauthorized manner, a reasonable level of password complexity should be established and maintained.

Recommendation:

The Company should set the passwords to expire, regardless of title. All passwords have to expire at least within 90 days and accounts with higher access should practice stronger password attributes and expire every 60 days. Minimum password age should be set to at least 1 day in order to prevent users to change immediately. The password history should also be set to at least 5 in order to disallow users using the previously used passwords as their new passwords.

Management Response:

Strong passwords are assigned. Users are not allowed to select their own passwords. The Company does not require changes to private account passwords to discourage users from writing down passwords. The Company does not permit account sharing. Each user has his or her own account. The Company has procedures in place so that we are promptly notified when associates leave the Company and we promptly close their accounts. Passwords are not reused except in the case of returning associates.

BACKUP TAPES - OFF SITE STORAGE (Carried over from FY2003)

During our review of backup procedures for production data and program files, we identified that daily incremental and weekly full backups were performed. However, we noted that only the weekly backup tapes are taken to the off-site storage. The daily backup tapes are stored in the computer room.

Taking backup tapes for off-site storage only on a weekly basis presents the risk that up to a week’s worth of data may be loss in the event of a disaster.

Recommendation:

We recommend that the management consider storing the daily backup tapes in the off-site storage or in the fireproof safe that is located within the IS area.

Management Response:

Currently the daily backup tapes are being appended to daily and kept in a secure steel case library in the computer room with restricted access. The Company will consider storing such data off-site.

VMS LOGICAL SECURITY SETTINGS
(Carried over from FY 2003)

During our review, we noted that the setting of the LGI BRK TERM is set to 1. By setting the value to 1, the system forces all invalid password attempts from a username to be submitted from the same terminal to count towards a break-in attempt. Invalid attempts from different terminals will not be counted.

Passwords settings help contribute to the overall security of the system and to prevent unauthorized users from gaining access to the system. Likewise, prevention and early detection of violations are critical to safeguarding the availability and integrity of system resources. If strong password settings are not implemented and security violations are not monitored on a regular basis, over time, unauthorized users may access and modify data within the system without detection.

Recommendation:

Management should consider changing the value of the LGI BRK TERM to 0, which is a more conservative value. By setting the value to 0, all invalid password attempts counted towards a break-in attempt whether it is from the same or different terminal.

Management Response:

Agreed. It’s been corrected.

PHYSICAL SECURITY - - COMPUTER ROOM ACCESS

As part of our audit, we toured the computer room to determine whether adequate physical security and environmental controls exist and whether the access to the computer is properly restricted. We noted that the IT Director of Maxxess still has access to the computer room in order to have access to the server where the Cincom Control system which is located in the Iteris computer room.

We acknowledge that his access will be revoked sometime in early April 2004 when the Maxxess division will replace the currently used application system.

A well-structured and controlled physical environment is crucial to safeguard computer equipment. Lack of adequate physical environment controls can lead to costly damage of company equipment, as well as provide critical disruption or down time for the Company in the event equipment malfunctions. Additionally, granting inappropriate access to a person who belongs to another division that is no longer part of Iteris Holdings increases a risk of unauthorized access to the server.

Recommendation:

We recommend that management revoke access to the computer room as soon as the MAXxess division replaces application system.

Management Response:

The key combination was changed and the access for MAXxess users has been removed.

IS POLICIES AND PROCEDURES (Carried over from FY 2003)

During our review of the data processing environment, we noted that although the Company does have IS policies and procedures documented, these guidelines don’t appear to be effectively communicated to users. We acknowledge that very minimal IS policies and procedures are shared with the entire Company.

In order for policies and procedures to be adhered to, they must be communicated effectively to their intended audience. Without sharing and communicating the existing IS policies and procedures to the entire Company, the purpose of having the formal documented IS policies and procedures become useless.

Recommendation:

We recommend that the existing formal IS policies, standards, and procedures are put in a central repository that is easily accessible to the user population.

Management Response:

Agreed. In process. Most of the current procedures are in our existing exchange server. We are currently implementing a new exchange server company-wide.

Attachment C

Comment related to the Company’s Statement of Direct Labor and General OverheadDocumented Support of Claimed Expenses

Recommendation:

The evaluation of expense as to its allow ability in accordance with the Federal Acquisition Regulation (“FAR”) requires the contactor to be responsible for accounting for cost appropriately and for maintaining records, including supporting documentation, adequate to demonstrate that costs claimed have been incurred, are allocable to the contract, and comply with applicable cost principles (FAR Part 31.201-2(d)). The contracting officer may disallow all or part of a claimed cost that is not adequately supported.

During our testing, certain expenses lacked the required supporting documentation. Examples included:

• Business meals - attendees at business conference meals were not consistently included in the supporting documentation along with a description of the nature of the business discussed

• Lodging charges - incurred expenses often lacked itemized hotel receipts, particularly when such expense is reimbursed by company credit cards. Itemized hotel receipts allow the facilitation and provide the support as to allowable lodging (i.e., calculation of lodging per diems) and the identification of unallowable entertainment or alcohol.

• Airfare charges - detailed airfare receipts were not consistently available to support incurred airfare expenses. Such receipts allow the identification of airfare deemed unallowable (i.e., first or business class) in accordance with the FAR.

• Credit card charges - explanation of the nature of expense incurred and paid for by (Company) credit cards were not consistently provided.

• Miscellaneous expenses - contrary to company policy, cost greater than $25 were not consistently supported by receipt

By adequately supporting its reimbursable cost, the Company will be able to support a higher allowable indirect cost rate reimbursed on its federal and state contracts.

Management Response:

The Company is currently in the process of revising its Travel and Expense reporting policy. This “new” policy addresses the issues and concerns raised by Ernst & Young during the Company’s annual overhead rate audit. The new policy will be effective sometime in October 2004.