The IG's office recommends that the agency's CIO hold system administrators accountable for maintaining the correct security settings on computers after the COE is deployed. The CIO should also ensure that the system administrators run the IRS's configuration-checking program on a sample of workstations on a periodic basis and conduct workstation security reviews. The system administrations should also follow up on workstations where proper updates were not successfully installed, identifying all computers without the agency's COE image and either install it, replace the computers or manually bring the computers into compliance.

'We also recommended [that the CIO] use available tools to identify possible unauthorized software installed on computers, consider purchasing software metering tools, and assign responsibility for monitoring software with significant license agreement costs,' Phillips said.

In the report, IRS CIO, W. Todd Gramms said he agrees with the findings and most of the recommendations and is committed to securing employees' workstations.