An audit report released by Massachusetts State Auditor Diana DiZoglio revealed that the MBTA and Keolis Community Services, the company contracted to operate commuter rail services, have been mismanaging operations.

Keolis is in charge of operating, managing and staffing the MBTA’s commuter rail services, as well as maintaining, inspecting and repairing commuter rail infrastructure. They also are responsible for collecting fares from riders.

“Our report revealed significant issues that need to be remedied around the MBTA’s contract with Keolis,” DiZoglio said in a statement.

The audit revealed that the MBTA inaccurately assessed performance-based incentives and penalties for Keolis. The penalties and incentives are intended to motivate Keolis to perform at a high level, as well as hold the company accountable for fulfilling their responsibilities.

The MBTA did not assess approximately $3.3 million worth of penalties and inaccurately assessed approximately $258,000 worth of penalties. They overpaid approximately $106,000 in incentives and underpaid $105,000.

The audit also found that the MBTA has not been maintaining sufficient documentation of inspections designed to evaluate Keolis’ performance. These include tracking fare collection and safety inspections. These violations could inconvenience riders if fares are not collected properly, and harm riders physically if commuter rail infrastructure isn’t up to par, especially during winter weather.

The MBTA did not ensure that Keolis submitted mandatory reports relating to fare collection revenue and fleet maintenance on time, and failed to penalize Keolis for not doing so. The combination of disorganized fare collection and lack of assessed penalties resulted in revenue loss for the MBTA that must be compensated for by additional rider funding and taxpayers.

Representatives from the MBTA and Keolis declined to comment.

Jeff Loussaint, a third-year business management student who rides the commuter rail to campus, said he notices inconsistent fare collection at certain stops and times of the day. “With so many people getting on the commuter rail during rush hour, they just don’t always scan everybody’s tickets,” he said. “If you hop on the train between 7-9 a.m. and 4-6 p.m., you probably aren’t going to have to pay if you get off at South Station, JFK or Quincy Center.”

The audit also found that the MBTA was not tracking whether or not Keolis employees completed annual mandatory cybersecurity awareness training. This puts the MBTA at risk of cyber attacks, which could result in financial and reputational losses. This could also put important information stored in the Train Resource Management System at risk of being compromised.

It was found that the MBTA did not have an internal control plan, which could result in preventable risks, disjointedness and inefficient organization.

The MBTA was also not effectively monitoring Keolis’ compliance with disadvantaged business enterprise requirements. These requirements are put in place to provide disadvantaged business enterprises with an equal opportunity to compete for federally funded contracts. Additionally, it was reported that confidentiality language was used to potentially hide challenges regarding this issue.

The audit process was held up by delays and faulty information, such as when auditors asked the MBTA to identify officials responsible for the programs under review. There were also inconsistencies and inaccuracies in the data submitted by the MBTA, according to the report.

DiZoglio said her office will revisit the MBTA’s actions for a post-audit review in roughly six months. She added, “The MBTA must increase coordination & communication among departments to address inefficiencies.”