Currently high-risk vulnerabilities could allow the computers to be compromised, Michael Phillips, Deputy Inspector General for Audit, said in the report.

Although the IRS developed the COE with secure configurations and installed those configurations on employees' computers, security settings have not been consistently maintained, Phillips said.

'In our sample of 102 computers with the COE installed [out of approximately 100,000], only 42 were sufficiently secure based on the IRS standards,' Phillips said. 'The remaining 60 computers complied with less than [90 percent] of the computer settings prescribed by the IRS or contained at least one high-risk vulnerability that could be exploited to either take control of the computer or render it unusable.'

In addition, 50 of the computers studied had at least one incorrect setting that could allow employees to circumvent security controls and inadvertently introduce vulnerabilities into the agency's network, according to the report. 'In our sample, 11 of the 102 computers contained 21 unauthorized software programs,' Phillips said in the report. 'Some of the programs were clearly not authorized for official business, such as card and board games.'

Phillips said the weak security settings could be attributed to systems administrators since they are generally the only people authorized to change security settings on employees' workstations.