Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Bay Transportation Authority (MBTA)

April 23, 2020 · Massachusetts Bay Transportation Authority · Read the full official report on mass.gov ↗ · official site ↗

Published April 23, 2020 Audit covers January 1, 2017 – March 15, 2019 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the MBTA had security weaknesses at bus and rail maintenance sites because former employees’ access cards were not always collected, destroyed, or turned off quickly.
source
“The Massachusetts Bay Transportation Authority (MBTA) did not ensure that employee access identification (ID) cards were retrieved and destroyed and that security access was disabled promptly when employees left the agency.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the MBTA covering January 1, 2017 through March 15, 2019, with some security-access testing extending later into 2019.

“This report details the audit objectives, scope, methodology, finding, and recommendations for the audit period, January 1, 2017 through March 15, 2019.”
Why was it audited?

Auditors wanted to know whether the MBTA had enough physical security to keep unauthorized people out of vehicle maintenance and storage facilities.

“The objective of this audit was to determine whether the MBTA had sufficient physical security measures in place to prevent unauthorized access to its vehicle maintenance and storage facilities.”
Why it matters

These facilities hold and service MBTA vehicles, so weak security can put riders, workers, and public property at risk.

“Effective physical security controls at these facilities are essential to the MBTA’s ability to protect its customers and employees and to safeguard its most critical assets.”
What's in it for me?

If you ride the MBTA or pay taxes in Massachusetts, this matters because the audit is about protecting transit facilities, employees, passengers, and public resources.

“As a result, the facilities were vulnerable to unauthorized access, placing the security and safety of MBTA property, passengers, and employees at risk.”
The bottom line

The main problems were that access cards were not consistently recovered or destroyed, and former employees’ access was sometimes left active for long periods.

“The delays gave individuals continued access to MBTA facilities and properties for months and even years after separation.”
What happens next

The auditor recommended that the MBTA immediately review access, create clear rules for handling departing employees, and monitor whether access is shut off promptly.

“The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.”
Why it's significant

Auditors found real evidence that some former employees used MBTA facilities after leaving the agency, showing the weakness was not just theoretical.

“As a result of this issue and the issue discussed in Finding 1a, we found 85 instances (involving 35 individuals) where former MBTA employees physically accessed MBTA facilities after their effective termination dates.”
Jargon, unpacked

An employee access ID card is the MBTA badge workers use to prove they work there and, where card readers exist, to enter restricted areas.

“These cards confirm employees’ affiliation with the MBTA and are used by the MBTA to control access to restricted areas of facilities and buildings equipped with card readers.”

What the Auditor checked

What the Auditor found

The MBTA did not ensure that employee access ID cards were retrieved and destroyed when employees left the agency.
internal controlspublic safetyrecordkeeping/documentation

Why it matters: Former employees or unauthorized individuals could use MBTA access ID cards to enter secured areas, avoid screening, or receive free access, increasing security and criminal-risk exposure.

Standard: MBTA's Employment Separations policy and MBTA Employee Policy Manual require employees to return agency property, including employee IDs, upon separation. ( MBTA's Employment Separations policy )

3 recommendations
  • The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.agency: already implemented
  • The MBTA should develop and implement an authority-wide policy and detailed procedure for the processing of terminated employees.agency: agreed
  • The MBTA should develop and implement monitoring controls to ensure that security access for separated employees is promptly disabled.agency: agreed
Agency response & Auditor reply
Agency: "The MBTA agrees with the recommendation and will assess the best means to expediently implement a solution."
The MBTA did not promptly disable separated employees' security access.
internal controlspublic safetyrecordkeeping/documentation

Why it matters: Former employees retained unauthorized access to MBTA facilities and properties for months or years, creating risks to facilities, property, workers, passengers, and public safety.

Standard: National Institute of Standards and Technology Special Publication 800-53r4 recommends terminating or revoking credentials when employment ends.

3 recommendations
  • The MBTA should perform an immediate review of the status of all employees and deactivate security access for those who no longer require access and/or are not authorized to have it.agency: already implemented
  • The MBTA should develop and implement an authority-wide policy and detailed procedure for the processing of terminated employees.agency: agreed
  • The MBTA should develop and implement monitoring controls to ensure that security access for separated employees is promptly disabled.agency: agreed
Agency response & Auditor reply
Agency: "Cardholder deactivations depend on timely flow of information between departments, which can vary due to a variety of factors."
Auditor: "Based on its response, the MBTA is taking appropriate measures to address our concerns."
The MBTA did not promptly disable separated employees' free transportation privileges.
internal controlscash handling

Why it matters: Former employees received free transportation to which they were not entitled, resulting in at least $5,517 in estimated lost revenue.

Verified dollar findings

Other identified $5,517 not in headline

Identified dollar findings that do not fall in a named band.

$5,517 - lost revenue

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Bay Transportation Authority .

See this entity's page with all 11 audits →