Aviation is one of the most complex, technology-dependent industries in the world. For IT auditors and risk professionals across Kenya, East Africa, and the wider continent, understanding how airlines actually work — operationally, commercially, and technically — is the essential foundation for effective audit coverage, meaningful risk assessment, and credible control recommendations.

Why Airline IT Audit Demands End-to-End Process Understanding

African aviation is undergoing a period of rapid expansion. Kenya Airways, Ethiopian Airlines, RwandAir, Air Tanzania, and a growing number of regional carriers are investing in digital transformation, expanding their route networks, and integrating with global distribution systems at a pace that has outstripped the maturity of risk and control frameworks in many organisations. The 2023 Single African Air Transport Market (SAATM) initiative, championed by the African Union, has further accelerated cross-border operations and the IT integration challenges that accompany them.

Airline operations are not a single business process — they are an interlocking chain of interdependent systems, handoffs, and decisions that span commercial, operational, and financial domains. A failure or weakness at any point in the chain can cascade into revenue loss, regulatory sanction, reputational damage, or a safety incident. IT auditors who approach airline engagements without a genuine understanding of how the airline operates in the real world will audit systems in isolation, miss the meaningful risks, and produce findings that operational management will reasonably dismiss.

87%
Of airline operational disruptions have a technology failure as a root or contributing cause — IATA 2025
$3.2B
Estimated annual revenue leakage across African airlines from revenue accounting and billing control gaps
6
Core end-to-end airline business processes that every IT auditor must understand before scoping a review
14+
Distinct IT systems that integrate across a typical airline operation, each presenting unique access and data risk

The Airline End-to-End Process Map

At its core, an airline business can be mapped across six interconnected macro-processes. Each macro-process contains distinct sub-processes, generates specific data flows, relies on one or more IT systems, and carries its own risk and control requirements. Before examining each in detail, it is important to understand the overall flow.

01. Schedule & Network PlanningSlot allocation, route planning
02. Reservations & DistributionCRS, GDS, direct channels
03. Departure ControlCheck-in, boarding, load control
04. Flight OperationsDispatch, crew, ATC
05. Ground & Cargo OpsRamp, handling, cargo
06. Revenue & FinanceTicketing, proration, BSP

Process 1: Schedule & Network Planning

In real life, an airline’s planning team begins constructing a flight schedule six to eighteen months before the first departure. The schedule planner analyses market data, passenger demand forecasts, aircraft availability, airport slot constraints, bilateral air service agreements (negotiated between governments), crew base locations, and competitor positioning. For a carrier like Kenya Airways operating out of JKIA Nairobi, this also involves coordinating with the Kenya Airports Authority (KAA) and KCAA for slot approvals, and with partner airlines under codeshare and interline agreements.

The key IT systems here are Network Planning Systems (such as Sabre AirVision or Lufthansa Systems Naviair) and Slot Management Databases. The output of this process — the operational schedule — flows into every downstream system and process. An error or unauthorised change to the schedule at this stage can trigger cascading disruption across reservations, crew rostering, maintenance planning, and airport operations simultaneously.

Process 2: Reservations & Distribution

Once the schedule is published, the airline opens inventory for sale. In practice, this means publishing seat availability across multiple channels simultaneously: the airline’s own website and mobile app, Global Distribution Systems (GDS) such as Amadeus, Sabre, and Travelport used by travel agents worldwide, Online Travel Agencies (OTAs) like Expedia and Booking.com, airline mobile applications, and code-share partner booking systems. For East African carriers, sales are also routed through a significant number of physical travel agents across the region, particularly in markets such as Uganda, Tanzania, and Rwanda where digital adoption, though growing, remains uneven.

The Central Reservation System (CRS) or Passenger Service System (PSS) — platforms such as Amadeus Altéa, Navitaire New Skies, or SITA Horizon — is the heart of this process. It manages real-time inventory, pricing, fare rules, booking classes, and passenger data across all channels. Revenue management analysts work continuously to adjust price points and booking class availability based on demand signals, competitor pricing, and load factor targets.

Auditor’s Note — Why PSS Access Controls Are Critical

The Passenger Service System is simultaneously an airline’s most operationally critical and most broadly accessed IT system. Thousands of users — reservation agents, airport staff, travel agents through GDS interfaces, partner airline staff, and system interfaces — interact with the PSS continuously. Weak access controls in the PSS create risk of fraudulent ticket issuance, unauthorised price overrides, and manipulation of booking data. In East Africa, several incidents of fraudulent ticketing through compromised travel agent credentials have been documented. The PSS access control environment must be a priority scope area for any airline IT audit.

Process 3: Departure Control — What Actually Happens at the Airport

The Departure Control System (DCS) is where the airline’s digital operations meet the physical passenger experience. On the day of departure, check-in agents and self-service kiosks use the DCS to verify passenger identity documents, assign seats, print boarding passes, tag baggage, and collect airport taxes and excess baggage fees. The DCS is linked to the PSS to pull the booking record, and to immigration systems for advance passenger information (API) submission to border authorities.

Simultaneously, the load controller is using the DCS — or a dedicated load and trim system — to manage the weight and balance of the aircraft. Every piece of baggage weighed and loaded, every passenger boarded, and every unit of cargo loaded contributes to the aircraft’s actual versus planned weight and centre of gravity. This is not merely an operational calculation: it is a safety-critical process governed by KCAA regulations and ICAO standards. Incorrect load data, whether through system error or deliberate manipulation, can compromise flight safety.

Gate control then sequences the boarding process, scanning boarding passes against the DCS manifest. At the closing of the flight, the DCS generates the final passenger manifest (which is transmitted electronically to the Civil Aviation Authority) and the movement message that triggers downstream operational and revenue processes.

Process 4: Flight Operations

Flight operations is the domain of the Operations Control Centre (OCC) — the nerve centre of an airline’s day-to-day operation. The OCC monitors all flights in real time, managing disruptions, re-routes, crew substitutions, aircraft swaps, and communications with air traffic control. Flight dispatchers generate the Operational Flight Plan, which incorporates weather data, NOTAMs (Notices to Airmen), airspace restrictions, fuel calculations, and alternate airport requirements. In Kenya, the KCAA operates as the designated Air Navigation Service Provider and its systems interface directly with airline dispatch systems.

Crew management systems handle the rostering, qualification tracking, duty time monitoring, and fatigue risk management of pilots, cabin crew, and engineers. These systems must enforce regulatory limits — under KCAA CARs (Civil Aviation Regulations) and ICAO Annex 6 standards — in real time. An IT control failure that allows crew scheduling beyond legal duty limits does not merely represent a compliance failure: it directly elevates the risk of a crew incapacitation event.

Process 5: Ground Handling & Cargo Operations

Ground handling encompasses the physical processes of aircraft turnaround: passenger embarkation and disembarkation, baggage handling and sorting, aircraft cleaning, catering loading, fuelling, technical servicing, and cargo loading and offloading. In Africa, most airlines contract ground handling to specialised third-party Ground Handling Agents (GHAs) such as Swissport, Menzies Aviation (present across several African airports), or airport-owned handlers such as Kenya Airways Ground Handling Limited (KQ-GH).

The cargo process is a significant and often under-audited revenue stream. Cargo acceptance, AWB (Air Waybill) issuance, ULD (Unit Load Device) tracking, dangerous goods screening, customs clearance, and cargo tracing all depend on the Cargo Management System (CMS). The integration between the CMS, the airline’s DCS, and IATA’s Cargo-XML messaging standards creates multiple data integrity and revenue leakage risk points that are frequently missed in conventional IT audits.

Process 6: Revenue Accounting & Finance Settlement

After the aircraft departs, the financial cycle begins. The Revenue Accounting (RA) process collects all revenue documents — electronic tickets (ET), miscellaneous charges orders (MCO), EMDs (Electronic Miscellaneous Documents) for ancillary fees, and cargo waybills — validates them against flown data from the DCS, and posts them to the general ledger. For interline journeys — where a passenger travels on multiple airlines ’ tickets within a single booking — the airline must prorate the revenue between carriers according to IATA proration rules and settle net amounts through the IATA Billing and Settlement Plan (BSP) or the IATA Clearing House (ICH).

This is where unchecked IT risks translate most directly into financial loss. Revenue leakage in the RA process — through unmatched coupons, duplicate refunds, incorrect proration, BSP settlement errors, or delayed revenue posting — is endemic in the African aviation sector and typically goes undetected for months without a robust automated revenue integrity control environment.

IT Risks Mapped to Each Process

With the end-to-end process understood, the IT auditor can now map specific technology risks to each stage of the airline’s operation. These are not generic IT risks — they are the specific failure modes that matter most in the airline context, informed by the operational realities described above.

Schedule Integrity & Unauthorised Changes

Network planning systems rarely have robust change management controls. Unauthorised or untested schedule modifications can propagate across connected systems — triggering ghost bookings, incorrect inventory, and crew planning conflicts — before detection.

PSS/CRS Access Control & Fraudulent Ticketing

Excessive user access in the Passenger Service System, combined with weak monitoring of pricing and ticket issuance activities, enables revenue fraud. Compromised travel agent credentials and internal agent fraud through unauthorised waivers and fare overrides are documented risks across East Africa.

DCS Data Integrity & Safety-Critical Load Data

Inaccurate weight and balance data resulting from DCS errors or manual override of automated limits represents a direct aviation safety risk, in addition to a regulatory compliance exposure. Load sheet falsification has been implicated in multiple incidents globally.

OCC Systems Availability & Resilience

The Operations Control Centre is a single point of failure for airline operations. Unplanned OCC system downtime — whether from infrastructure failure, cyberattack, or software defect — can immobilise an entire airline’s operation within hours, with significant cascading passenger and regulatory consequences.

Third-Party & GHA Data Interface Risk

Ground handling agents receive and transmit operationally and commercially sensitive data. Poorly controlled API integrations between airline systems and GHA systems create data leakage, manipulation, and availability risks that the airline cannot directly observe or control.

Revenue Accounting Reconciliation Failures

Automated reconciliation between the DCS, PSS, and Revenue Accounting System is a complex process that fails silently in many airline environments. Unmatched revenue documents, incorrect proration calculations, and BSP settlement errors accumulate into material financial misstatement if not detected promptly.

Passenger Data Privacy & GDPR/DPA Exposure

Airlines collect extensive Passenger Name Record (PNR) data, including travel history, payment data, dietary requirements, and health information. Under Kenya’s Data Protection Act 2019 and equivalent legislation in Uganda, Tanzania, and Rwanda, inadequate PNR data governance carries mandatory breach notification obligations and significant financial penalties.

Cybersecurity & Ransomware Exposure

African airlines increasingly operate internet-facing systems — booking engines, mobile apps, cargo portals — with uneven patch management and endpoint security maturity. IATA’s Cyber Security Awareness Programme has identified African carriers as a growing target for ransomware groups that understand the operational leverage an airline outage creates.

IT Controls Framework for Airline Audit

Effective IT controls in the airline environment must address both general IT controls (GITCs) that underpin all systems, and application-level controls embedded within each specific system. Below is a structured mapping of the key controls an auditor should evaluate, organised by process area.

Access & Identity Controls

Control Objective What to Audit Risk Level
Least-privilege access in PSS
Only authorised users can issue tickets, apply waivers, or override fares		 Review user access matrices; test that pricing override functions require supervisor approval; confirm joiner-mover-leaver process is enforced; check GDS agent credential management Critical
OCC and flight operations system access
Only qualified dispatchers and operations staff access flight plan and crew management data		 Review role-based access in the OCC platform; confirm duty roster access is restricted to HR and crew planning; verify crew qualification data is not modifiable by non-authorised users Critical
Revenue Accounting system segregation
Staff posting revenue documents cannot approve settlements or access BSP submission functions		 Test segregation of duties in the RA system; review journal entry authorisation; verify BSP submission is dual-controlled High
Third-party GHA interface credentials
Ground handler system integrations use dedicated service accounts with minimal permissions		 Inventory all API integrations with GHAs; confirm service accounts are non-privileged and credential-rotated; review interface logging High

Change Management & System Integrity Controls

1
Schedule Change Management

All modifications to the published operational schedule must pass through a documented change control process with impact assessment, sign-off by Network Planning and Operations, and controlled propagation to the PSS, DCS, and crew systems. Auditors should review change logs in the scheduling system and confirm no schedule changes were made outside the approved change window without appropriate escalation.

2
Fare and Inventory Configuration Controls

Changes to fare rules, booking class availability, and pricing parameters in the PSS must be tested in a staging environment before production deployment. Given that the PSS is a vendor-managed platform for most African carriers, auditors should specifically examine the contractual obligations and access arrangements of the PSS vendor’s technical support team.

3
DCS Load Sheet Override Controls

The DCS must enforce automated weight and balance limits and require documented supervisor authorisation for any override of system-generated load limits. Every override must be logged with user ID, timestamp, and reason. Auditors should extract override logs and evaluate whether the override frequency and justification patterns indicate a control culture problem.

4
Revenue Accounting Automated Matching

Automated reconciliation between flown coupon data from the DCS and revenue documents in the RA system should operate on a daily cycle with exception reporting for unmatched items. Auditors should review the age and volume of unmatched items in the RA system, the process for resolving exceptions, and whether write-off authority is appropriately controlled and reported.

Regulatory & Framework Mapping

Airline IT audit in Africa operates within a complex, multi-layered regulatory environment. IT auditors must understand which frameworks apply to which processes and how to map their audit findings to the relevant standards. Failure to do so renders the audit report less actionable for management and less credible with regulators.

Regulatory & Standards Landscape — African Aviation IT Audit

  • ICAO Annex 17 — Aviation Security
  • ICAO Doc 9984 — Security of Passenger Data
  • IATA Operational Safety Audit (IOSA)
  • IATA Cyber Security Awareness Programme
  • KCAA Civil Aviation Regulations (CARs) — Kenya
  • Kenya Data Protection Act 2019
  • TCAA Regulations — Tanzania
  • UCAA Regulations — Uganda
  • BCAA Regulations — Rwanda / Burundi
  • AU Single African Air Transport Market (SAATM)
  • PCI DSS v4.0 — Payment Card Data
  • NIST CSF 2.0 — Cybersecurity Framework
  • ISO/IEC 27001:2022 — Information Security
  • COBIT 2019 — IT Governance

Framework-to-Process Mapping

  • Schedule & Network
    COBIT 2019 — APO08, APO09; ISO 27001 A.12 (Operations) Schedule systems are in-scope for availability and integrity controls under COBIT and ISO 27001. IOSA checks align to ORM (Operational Risk Management) standards. Change management must satisfy COBIT BAI06.
  • Reservations & PSS
    PCI DSS v4.0; Kenya DPA 2019; ICAO Doc 9984; NIST CSF Protect The PSS handles cardholder data (PCI DSS scope), PNR data (ICAO and DPA scope), and identity data. IATA Resolution 787 governs PNR data sharing with governments. Auditors must assess both the PSS application and all integrated GDS and OTA interfaces.
  • Departure Control
    ICAO Annex 17; KCAA CARs Part 19; ISO 27001 A.9 (Access Control) DCS is explicitly in scope for ICAO Annex 17 security controls. API (Advance Passenger Information) transmission is regulated by KCAA and border agency requirements. Load control processes are subject to ICAO Annex 6 operational safety standards.
  • Flight Operations
    ICAO Annex 6; KCAA CARs Part 8; IOSA ORG, OPS, FLT Standards Crew management systems must enforce duty time limits per ICAO Annex 6 and national CAR requirements. Flight planning systems must integrate real-time weather and NOTAM data per KCAA requirements. The OCC is the primary asset for IOSA OCC standards compliance.
  • Ground & Cargo
    IOSA GRH, CGO Standards; IATA Dangerous Goods Regulations; KCAA CARs Part 14 Ground handling agreements must incorporate minimum IT security and data interface standards. Cargo Management Systems must enforce DGR screening controls per IATA and KCAA requirements. Third-party GHA IT risk must be assessed under IOSA GRH.1.6.
  • Revenue & Finance
    IATA Resolution 787; BSP Manual; ISO 27001 A.12; COBIT APO12, MEA03 BSP settlement processes are governed by IATA BSP Manual requirements including dual-control and reconciliation standards. Revenue Accounting systems must satisfy financial reporting integrity requirements. Auditors should map RA system controls to IAS/IFRS 15 (Revenue from Contracts with Customers) for financial statement audit alignment.

The IOSA Audit — What IT Auditors Need to Know

The IATA Operational Safety Audit (IOSA) is mandatory for IATA member airlines and is increasingly required by African national regulators as a condition of AOC renewal. IOSA audits cover eight standards sections, several of which have direct IT implications: Flight Operations (FLT), Operational Control and Flight Dispatch (DSP), Aircraft Engineering (MNT), Ground Handling (GRH), Cargo Operations (CGO), and Security (SEC). IT auditors supporting an airline’s IOSA preparation or conducting post-IOSA IT assurance work must understand which IOSA standards map to which IT systems and controls.

Key Questions for the IT Audit Committee — Airline Sector

  1. Does the airline have a documented IT risk register that is specifically mapped to operational processes, not just generic IT categories?
  2. Has the PSS/CRS undergone an independent access control review in the past twelve months? What was the finding on segregation of duties and GDS credential management?
  3. Is the DCS load control system subject to formal change management, and are load sheet override logs reviewed by a qualified independent function?
  4. What is the current volume and ageing profile of unmatched revenue documents in the Revenue Accounting system?
  5. Has a third-party risk assessment been performed on all Ground Handling Agents with direct IT system interfaces?
  6. Does the airline have a documented cyber incident response plan that has been tested within the last twelve months, including OCC and PSS failure scenarios?
  7. Is PNR data governance aligned with Kenya’s Data Protection Act 2019 and ICAO Doc 9984 requirements?

The African Aviation IT Risk Context

IT auditors working with African airlines face a set of risk conditions that differ materially from those of their European or North American counterparts. Understanding these contextual factors is essential for calibrating audit scope and risk ratings appropriately.

Legacy Systems and Mixed Technology Environments

Many African carriers operate a patchwork of systems — some vendor-hosted SaaS platforms, some legacy on-premise applications, and some locally developed point solutions — that have accumulated over decades. The integration between these systems is frequently achieved through fragile custom interfaces with limited monitoring, error handling, or logging. Auditors should map the full system integration architecture before scoping any airline IT audit.

Third-Party Reliance and Vendor Risk

Very few African airlines host and manage their own PSS, DCS, or Revenue Accounting systems. The vast majority rely on global vendors such as Amadeus, Sabre, SITA, or Radixx — typically under cloud or shared-service arrangements. This creates a critical vendor risk management challenge: the airline’s data and operational continuity depend on a third party’s infrastructure and security posture that the airline cannot directly audit. IT auditors should review vendor contract provisions, SLA terms, SOC 2 reports, and the airline’s own third-party risk management process.

Connectivity and Infrastructure Constraints

Reliable, high-speed internet connectivity cannot be assumed across all African airports and airline operations facilities. Several East African airports operate on constrained bandwidth that affects the real-time performance and reliability of cloud-hosted PSS and DCS platforms, particularly during peak operational periods. This creates both an availability risk and a business continuity risk that must be assessed.

Regulatory Fragmentation Across Borders

An airline operating across Kenya, Uganda, Tanzania, Rwanda, and Ethiopia simultaneously is subject to five distinct national aviation regulatory regimes, five data protection frameworks in various stages of implementation, and ICAO standards that are applied with varying levels of rigour by each national Civil Aviation Authority. IT auditors must understand which jurisdiction’s requirements apply to which systems and operations, and where the gaps between regulatory expectations and current control maturity are greatest.

Revenue Integrity as a Survival Issue

With airline margins operating at 1–3% in the best of times, revenue leakage through weak RA and ticketing controls is not merely a financial reporting issue — it is an existential threat. Several African airlines have experienced financial distress exacerbated by undetected revenue leakage that, with appropriate controls, should have been recovered. IT auditors must treat revenue integrity controls as a top-priority audit area, not a back-office accounting matter.

How Sentinel Assurance Partners Approaches Airline IT Audit

At Sentinel Assurance Partners, our airline IT audit methodology begins with an operational walkthrough — we require our team to understand the end-to-end process before a single control test is designed. We map the airline’s specific system architecture, integration points, regulatory obligations, and commercial structure before defining scope. This operational grounding allows us to produce findings that are genuinely actionable for operations, finance, and technology leadership, not just the IT department.

Our airline IT audit engagements cover the full process chain: network planning and schedule system controls, PSS/CRS access and fraud risk, DCS integrity and safety-critical data controls, OCC availability and resilience, GHA third-party IT risk, cargo management controls, and Revenue Accounting reconciliation. We map every finding to the relevant regulatory standard — KCAA CARs, IOSA standards, Kenya DPA 2019, PCI DSS, and applicable ICAO Annexes — so that remediation is grounded in both governance best practice and regulatory obligation.

Conclusion: Process Understanding Is the Foundation of Credible Airline IT Audit

Aviation is an industry where IT failure is not merely a business disruption — it can have safety, regulatory, and human consequences that no amount of post-incident remediation can fully reverse. For IT auditors, risk managers, and assurance professionals working with African airlines, the starting point is always the same: understand how the airline actually operates, from the moment a flight enters the schedule to the moment its revenue is settled and posted to the ledger.

The risks mapped in this article — PSS fraud exposure, DCS integrity risk, OCC availability vulnerability, third-party GHA data risk, and Revenue Accounting leakage — are not theoretical. They are the documented failure modes that have cost African carriers millions of shillings in lost revenue, regulatory fines, and operational disruption. With the right process understanding, the right control framework, and the right regulatory mapping, IT audit can be the function that prevents those losses — not merely the one that documents them after the fact.

Sentinel Assurance Partners brings operational understanding, regulatory fluency, and technical depth to every airline IT audit engagement across East Africa and beyond. We are available to discuss your specific audit scope, regulatory obligations, or control environment at any time.