And the likelihood of them doing so is heightened with the city set to host the G20 summit meeting in November next year, it says.
Investigators took on the role of hackers for three weeks, finding it was too easy to breach the city's traffic management systems, which are co-run by the Department of Transport and Brisbane City Council.
On several occasions they managed to break into the IT systems responsible for traffic management and even managed to access restricted buildings.
If actual hackers were able to breach the systems, they could engineer traffic jams and slow down response times in the event of an emergency, the report said.
The report pointed to a "general lack of staff awareness" regarding security risks - particularly how to defend against "social engineering" techniques.
These include gaining entry to a restricted area by simply following a staff member, or obtaining usernames and passwords by pretending to be a trustworthy person via email.
Staff were lax in logging and reviewing potential security breaches and the automatic systems for detecting intrusions were sparsely implemented, the report found.
In addition, the policies surrounding which staff had access were found to be flawed, with nearly one in five accounts belonging to ex-employees.
Both the Department of Transport and Brisbane City Council, which were shown the report before it was published, say they have begun improving security measures.
Council CEO Colin Jensen said in a letter to the audit office that "comprehensive risk assessments" have been completed.
"Further, the application of controls to mitigate the various risks identified are in progress, as well as other improvement actions."