Audit finds gaps in Sabers security documentation; Department of Administration vows fixes
April 09, 2026 | 2026 Legislature MT, Montana
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Auditors from the Legislative Audit Division told the Legislative Audit Committee that Montana’s Statewide Accounting, Budgeting, and Human Resources System (commonly called Sabers or Savers) is mission‑critical but shows inconsistencies and documentation gaps that reduce control effectiveness.
“Sabers is a large system that utilizes a commercial product… The system contains personal payment and employment information for over 15,000 state employees,” Shana Geppner, associate information technology auditor, told the committee. The audit evaluated policies and safeguards required under MCA 2‑15‑114 and used NIST SP 800‑53 as guidance for control expectations.
Auditors identified three primary issues: internal policy and procedure documentation that is out of date or recorded only at the module level (financials vs. HR), missing formal periodic reviews of agency role assignments, and reliance on informal or institutional knowledge instead of a documented configuration‑management plan. Geppner noted the net effect is inconsistent application of controls across modules and increased risk that inappropriate user access could persist as staff change roles.
The report recommended the Department of Administration (the agency that manages Sabers) consolidate and formalize policies and procedures across the system; require agency security account managers to review user roles at least biannually; and develop and document a formal configuration‑management plan covering both Savers Financials and Savers HR.
Director Diane Giles (Department of Administration) said the agency concurs with the recommendations. She told the committee the department plans to consolidate Sabers policies across finance and HR, bolster security documentation and user‑access review requirements, and complete a configuration plan “by next April” — roughly one year from the audit presentation. Giles asked committee members for patience during implementation and offered agency staff for follow‑up technical questions.
Committee members sought clarifications on the audit’s findings. Senator McGilvray asked whether auditors found actual over‑stated access; Geppner said auditors found nine user accounts with conflicting roles that should not be held together and described those as examples of where the principle of least privilege was not being enforced. Geppner and Giles emphasized the distinction between documentation gaps and immediate technical compromise, saying the department already manages many safeguards but needs stronger, consistent documentation and review processes.
The committee accepted the audit report by motion.
Next steps: the audit recommendation schedule calls for the department to formalize consolidated policies and a configuration‑management plan and to report back to the committee on progress. Auditors and agency staff said they will coordinate on measurable milestones for the forthcoming year.
“Sabers is a large system that utilizes a commercial product… The system contains personal payment and employment information for over 15,000 state employees,” Shana Geppner, associate information technology auditor, told the committee. The audit evaluated policies and safeguards required under MCA 2‑15‑114 and used NIST SP 800‑53 as guidance for control expectations.
Auditors identified three primary issues: internal policy and procedure documentation that is out of date or recorded only at the module level (financials vs. HR), missing formal periodic reviews of agency role assignments, and reliance on informal or institutional knowledge instead of a documented configuration‑management plan. Geppner noted the net effect is inconsistent application of controls across modules and increased risk that inappropriate user access could persist as staff change roles.
The report recommended the Department of Administration (the agency that manages Sabers) consolidate and formalize policies and procedures across the system; require agency security account managers to review user roles at least biannually; and develop and document a formal configuration‑management plan covering both Savers Financials and Savers HR.
Director Diane Giles (Department of Administration) said the agency concurs with the recommendations. She told the committee the department plans to consolidate Sabers policies across finance and HR, bolster security documentation and user‑access review requirements, and complete a configuration plan “by next April” — roughly one year from the audit presentation. Giles asked committee members for patience during implementation and offered agency staff for follow‑up technical questions.
Committee members sought clarifications on the audit’s findings. Senator McGilvray asked whether auditors found actual over‑stated access; Geppner said auditors found nine user accounts with conflicting roles that should not be held together and described those as examples of where the principle of least privilege was not being enforced. Geppner and Giles emphasized the distinction between documentation gaps and immediate technical compromise, saying the department already manages many safeguards but needs stronger, consistent documentation and review processes.
The committee accepted the audit report by motion.
Next steps: the audit recommendation schedule calls for the department to formalize consolidated policies and a configuration‑management plan and to report back to the committee on progress. Auditors and agency staff said they will coordinate on measurable milestones for the forthcoming year.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
