A three-year state audit of the Maryland Transportation Authority found significant problems with how the organization handles purchases and an inadequate "disaster recovery plan" if its E-ZPass toll collection system fails.
The authority, which operates state toll facilities and transportation infrastructure such as the Chesapeake Bay Bridge for the Maryland Department of Transportation, said it is addressing the issues.
The report, released Wednesday by the state's Office of Legislative Audits, reviewed the agency's operations between January 2010 and March 2013.
Finding that the MdTA lacks proper purchasing controls, the audit said that "60 employees had the ability in MdTA's automated purchasing system to initiate and approve purchasing transactions, and record the receipt of the related purchases without independent approval."
In one case in 2012, the audit found, a single employee initiated and approved approximately $933,000 in purchases, and also recorded receipt of about $377,000 worth of those purchases.
The audit does not cite any improper transactions, but found such purchases "could be made and not be readily detected" under MdTA's current procurement structure.
The audit recommends the agency institute new controls, a similar recommendation as a 2010 audit.
In response, the MdTA said it is developing a new system to limit a single employee's ability to control multiple stages of transactions and approvals, and that "access rights will be restricted to the extent feasible" until it comes online.
The audit also found that the state's E-ZPass toll collection servers and network devices are all centrally located and the MdTA had failed to establish a back-up site in case of a disaster.
It found the MdTA — which collected more than $389 million in tolls in 2012, $249 million through E-ZPass — had not outlined plans for the "restoration of network connectivity" in case of a failure, and had a "communications plan" that hadn't been updated since May 2010, did not address certain technical issues and hadn't been tested.
The audit recommended the agency create and maintain a new disaster plan and periodically test it.
The MdTA said the "risk of lost revenue" is limited by the ability of individual toll lane systems to store revenue data for long periods without accessing the centralized servers. Despite that, the authority said it plans to develop a back-up system by this summer and begin annual testing of its new disaster recovery plan.
In a separate state audit of the transportation department's Office of Transportation Technology Services, officials recently found several security issues with the department's core computer network, including some involving firewalls critical to protecting it.
The network includes the Motor Vehicle Administration databases, the Maryland Port Administration's marine terminal system, and the department's payroll system, among others.
No breaches of the systems were reported, and the transportation department said it already has implemented many of the auditor's recommendations to better track personnel actions and changes on the department's network, especially those related to firewalls.
The department said it will initiate two remaining recommendations on June 30, including performing a "documented review and assessment of its network security risks" to identify further improvements.