'Maintaining secure settings also includes correcting new vulnerabilities that are identified by software vendors or the computer industry. However, the IRS did not ensure all new vulnerabilities on employee workstations were being addressed,' according to the report. 'We found 29 of the 102 computers in our sample did not have the latest COE update version. COE updates contain the latest available security patches to address new vulnerabilities. When the automated update installation failed, employees were not aware of the failure and did not take actions to install the updates. System administrators also did not follow up to ensure the updates had been installed.'

In addition, the COE image has not been installed on more than 4,700 IRS workstations, meaning those computers don't have critical security patches and contained high-risk vulnerabilities, including incorrect password length and inadequate virus protection, Phillips said. 'These computers are especially susceptible to computer viruses that could render them unusable....'

The report also indicates that the IRS is paying for software licenses that it rarely uses. For example, the full version of Adobe Acrobat is an advanced software package with features employees are probably either unaware of or rarely use, Phillips said.

'In practice, most IRS employees only need the Adobe Reader, which is free software,' Phillips said. 'The IRS paid approximately US$2.3 million for 10 fully licensed versions of Adobe Acrobat. The IRS is also under agreement for annual maintenance and support for an additional $2.3 million each year.'

If system administrators had performed necessary configuration audits they would have identified software packages that are no longer needed, Phillips said. 'At the time of our review, we were not aware of any such software configuration reviews being conducted,' he said.