I have been in this situation. If it's a friend my course of action is like this.
------------------------------------------------------------------------
Walk over to their desks (put nothing in writing) and let them know that you will be doing a network scan between the hours of X and X+4. If there were to be any 'inappropriate' material found on systems included in the scan, well, HR would have to be contacted and action taken.
You can mention that 'inappropriate' material can often be automatically installed on a system by merely visiting the wrong type of site, and that all efforts to remove said material should happen before the hour designated for the scan.
It also helps to tell them that you may or may not be able to inform them of the next time you have to run the scan, so their machines should be kept as clean as possible.
------------------------------------------------------------------------
This allows for a few things. First, you aren't/can't be implicated in any sort of cover-up (unless you are overheard giving your friend this 'advice'). Second, you will have a 'clean' scan that you can present to HR, informing them that everything is ship-shape. Third you have given your friend an out that doesn't indict or embarass him.
For you, the IT guy, you need to maintain two things. First, plausable deniability. Destroy the original scan and all references to it. If someone else runs a scan and finds the material you don't want them to be able to say that you had any knowledge of it. Second, more plausable deniability. CYA is the acronym of the day, Cover Your A... Booty.