Metro has failed to track its computer and software purchases, bought equipment that doesn't meet its own standards and left some new items unused for at least two years, according to a recent inspector general audit.
The report, issued by Metro Inspector General Helen Lew, found the agency cannot fully account for all the software and hardware acquisitions it made in the 2010 and 2011 fiscal years.
Her investigators even found three paper feeders and 11 Dell monitors that had been bought in 2009 for $4,888 but were still in storage, unused as of Aug. 31, 2011. The agency redistributed the equipment once told of it.
Metro did not make "sound business decisions" in buying some equipment and purchased some items that didn't comply with the agency's own standards, the audit said, increasing "the risk of system vulnerabilities occurring" on a network that now has some 12,000 devices on it.
The agency's information technology department created a standards guide in 2009 so Metro could have a comprehensive technology strategy, updating the plan in 2011.
But instead, the agency has what it calls a "decentralized business management environment," meaning the IT department does not control -- or even know about -- purchases made by other departments.
Of a sample of purchases reviewed, the IG found more than $111,000 in nonstandard software and hardware, including one $11,434 order for two Apple computers, three 27-inch screens and software for chief spokesman Dan Stessel's team. The agency does not support Apple computers.
"The decision to buy nonstandard equipment was based on the need for better technology for our communications outreach," said Assistant General Manager Lynn Bowersox. "They have proven to be important tools for the staff."
The IT department did not always follow its own rules, either. The audit found that the head of IT didn't approve some purchases it was required to, including one for $81,000.
Separately, the audit found Metro failed to adequately scrub computers' hard drives when its sold equipment as surplus, with investigators retrieving sensitive personnel information from two hard drives.
The agency agreed with some of the findings, and has since established a policy to redistribute any equipment that had not been claimed for 30 days after the department that purchased it is contacted three times.
But the agency disagreed that it's making the network vulnerable. And it estimates that creating a recommended agencywide equipment-tracking system would cost roughly $700,000 in software development, what it calls an "impractical" and "unnecessary expense."