FRANCE: Auditing IT governance, strategy and security of 6 universities in French overseas territories
To improve the overall level of training, higher education provision in overseas France has expanded and diversified considerably. Between 2002 and 2022, the number of students in overseas France rose by 54%. Against this backdrop, the French Cour des Comptes audited the functioning of higher education and research in overseas territories of France, in particular through the management of 6 universities: in French Guiana, the French West Indies, French Polynesia, New Caledonia, Reunion and Mayotte.
Overseas territories concerned by the report.
The French Cour des Comptes' digital audit department was asked to analyze:
- IT governance and strategy: analysis of budgets, missions and IT vision
- IT security: knowledge of IT assets, access management, implementation of protection systems, awareness-raising, compliance with legislation.
- Business continuity: definition and implementation of the business continuity plan, disaster recovery plan and tests carried out
The auditors travelled to meet the staff and gain a better understanding of the problems encountered. The audit was particularly interesting, as it enabled us to gain an overview of the overseas universities, identify common issues, and compare their operations and actions.
In terms of information systems governance, the information systems function is often split between several departments, as is the case at the University of La RĂ©union and the University of New Caledonia. Information systems departments are relatively isolated and often find it difficult to carry out their missions in a cross-functional manner, in liaison with the business departments. The fragmentation of the function and the lack of cross-functionality within establishments explain the absence of a consolidated, multi-year vision of IT expenditure.
Furthermore, with the exception of the University of French Polynesia and the University of the West Indies, the universities have no digital master plan or multi-year investment program. As a result, communication between the various "business information systems" is not perfect, and interoperability between applications is clearly inadequate, hampering the overall management of the establishments.
As regards compliance with regulations, progress towards compliance with the General Data Protection Regulation (GDPR) is uneven. In addition to insufficient monitoring of the IT processing register, there is a lack of awareness among staff of the challenges of personal data protection and, more generally, IT security.
Finally, the French overseas territories are confronted with major natural and technological hazards. This is particularly true of the University of Guyana, which suffered a 24-hour power cut in 2022, and the University of Mayotte, which was the victim of a cyber-attack in 2024. In the six universities audited, IT security is often inadequate: there is no formal information systems security policy, no information systems security officer, no business continuity plan or disaster recovery plan, and so on.
Despite the heterogeneity of situations, it is important to strongly develop the IS function within overseas universities, with the triple objective of reinforcing IT security in a context where natural and technological risks are numerous, ensuring compliance with regulations and, finally, consolidating business applications by developing their interoperability.
Read the report (in French).