Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Bay Transportation Authority - Automated Fare Collection System 2.0 Project (January 16, 2025)

January 16, 2025 · Massachusetts Bay Transportation Authority · Read the full official report on mass.gov ↗ · official site ↗

Published January 16, 2025 Audit covers January 1, 2018 – September 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit says the MBTA’s fare-payment upgrade has major management and financial-risk problems: deadlines could be extended too easily, required bond protection was missing for some work, payroll records did not match, and cybersecurity training was incomplete.
source
“This report focused on the MBTA’s Automated Fare Collection System (AFC) 2.0 project, estimated to cost $960.2 million, which includes an approximately $935.4 million contract, known as the Amended and Restated Project Agreement.”
Read the plain-English breakdown
What is this?

This is a state audit of the MBTA’s project to replace CharlieCards and CharlieTickets with a newer tap-and-go fare system across transit services.

“This project was created by the MBTA to replace the current Charlie Ticket / Charlie Card fare collection system with an advanced tap-and-go system that would allow the public to use multiple forms to pay fares.”
Why was it audited?

Auditors reviewed the project because they wanted to see whether the MBTA was protecting public money and managing the contract properly.

“In this performance audit, our goal was to determine whether the MBTA was properly managing its financial risk associated with this contract.”
Why it matters

If the MBTA does not tightly manage deadlines and costs, riders may wait longer for a better fare system and taxpayers may pay more.

“This affects the public by delaying their use of a more efficient system that will lead to quicker service and results in overspending of public funds because of change orders, price escalation because of inflation, and other cost pressures.”
What's in it for me?

For riders, the promised benefit is easier fare payment: tapping a card, phone, or contactless credit card, plus more ways to reload and manage an account.

“The MBTA’s Fare Transformation will make paying for transit easier and more convenient.”
The bottom line

The auditor found four main problems: contract deadlines could be overridden, bond protection was missing for some work, payroll records were not reconciled, and cybersecurity training was not completed by all users.

“Below is a summary of our findings, the effects of our findings, and our recommendations, with links to each page listed.”
What happens next

The auditor recommended that the MBTA tighten deadline controls, require proper bonds, fix payroll reconciliation, and make sure users complete cybersecurity training.

“We will share with you additional reports from this audit.”
Why it's significant

The auditor treats the MBTA as a high-risk agency because it has a large budget, complicated operations, and provides services where failures can affect riders and taxpayers.

“Based on our research, the MBTA is a “high-risk” agency that warrants consistent oversight due to the size of its budget, the complexity of its operations, and the risks related to the services it provides.”
Jargon, unpacked

AFC 2.0 means the new fare-payment system; SI means the project’s systems integrator; a surety bond is financial protection if a contractor fails; and a P3 is a public-private partnership.

“The contract between the MBTA and Boston AFC 2.0 OpCo LLC is known as a public-private partnership, or a P3.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

The MBTA contract allowed AFC 2.0 project deadlines to be overridden.
procurement/contractsinternal controls

Why it matters: The MBTA risks project delays, delayed public use of a more efficient fare system, overspending of public funds, and weakened project timelines.

Standard: The Amended and Restated Project Agreement includes contractual deadlines that should be used to ensure the contract is completed on time. ( Section 8 of Appendix 7 of the Amended and Restated Project Agreement )

2 recommendations
  • The MBTA should rigorously review and consider deadline overrides before management approves them, and use them sparingly and only when necessary.agency: disagreed
  • The MBTA should establish policies and procedures to ensure public works projects have strong controls for monitoring delays and cost overruns.agency: disagreed
Agency response & Auditor reply
Agency: "The MBTA disagrees with the [Office of the State Auditor’s (SAO’s)] conclusions with respect to this finding."
Auditor: "We disagree with the MBTA’s claims that this report’s characterization of the MBTA’s review periods is incomplete and inaccurate."
The MBTA did not ensure the Systems Integrator obtained a required surety bond for certain AFC 2.0 work.
procurement/contractsvendor oversightinternal controls

Why it matters: The MBTA may not be able to recover money paid on the contract if the project is not completed, creating risk to public resources.

Standard: Section 29 of Chapter 149 of the Massachusetts General Laws requires security by bond for certain public works contracts over $25,000. ( Section 29 of Chapter 149 of the Massachusetts General Laws )

1 recommendation
  • The MBTA should require contractors performing covered public works project work to obtain security by bond for one half of the total contract price and include bond requirements in procurement documents.agency: disagreed
Agency response & Auditor reply
Agency: "The MBTA disagreed with the SAO’s finding, providing the following information:"
Auditor: "We disagree that Section 29 of Chapter 149 of the General Laws is ambiguous regarding its requirements."
The MBTA did not reconcile AFC 2.0 payroll records to its general ledger.
payroll/timerecordkeeping/documentationinternal controls

Why it matters: Payroll and AFC 2.0 project costs could be misstated, making it difficult to determine project cost effectiveness and creating risk of employee overpayment or underpayment.

Standard: The Office of the Comptroller of the Commonwealth has issued payroll job aids and best practices for biweekly reconciliation of payroll records to the general ledger system. ( Office of the Comptroller of the Commonwealth payroll job aids and best practices )

3 recommendations
  • The MBTA should investigate and resolve the $349,523 variance between HR/CMS and FMIS for AFC 2.0 payroll expenses.agency: partially agreed
  • The MBTA should create policies and procedures for biweekly payroll-to-general-ledger reconciliations.agency: partially agreed
  • The MBTA should ensure payroll codes are appropriately applied to projects.agency: partially agreed
Agency response & Auditor reply
Agency: "The MBTA agrees that improvements can be made to future communications around time reporting out of the MBTA’s various systems."
Auditor: "The MBTA states that the data from HR/CMS was never meant to tie to the data from FMIS."
The MBTA did not ensure all information system users completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The MBTA may expose itself to increased risk of financial and reputational losses.

Standard: National Institute of Standards and Technology Special Publication 800-53r5 and Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 require initial and annual security awareness training. ( National Institute of Standards and Technology’s Special Publication 800–53r5, Security and Privacy Controls for Information Systems and Organizations; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

1 recommendation
  • The MBTA should ensure all information system users complete cybersecurity awareness training as initial training and annually.
Agency response & Auditor reply
Agency: "The MBTA is reviewing to determine if these former employees did not complete cybersecurity training or the MBTA’s report on the completion of cybersecurity training omitted these former employees."
Auditor: "However, these individuals were employees during the audit period and thus should have received cybersecurity awareness training upon being hired."

Verified dollar findings

Projected / estimated $960,000,000 not in headline

Estimated or sample-projected amounts - shown separately because they are not a hard-identified dollar figure.

$960 million - project cost
Other identified $349,523 not in headline

Identified dollar findings that do not fall in a named band.

$349,523 - payroll variance
Context (excluded) $935,400,000 not in headline

Contract sizes, limits, thresholds, and fund balances - scale figures, never counted as money found.

$935.4 million - contract amount at risk

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Bay Transportation Authority .

See this entity's page with all 11 audits →