Understanding Radio Business Technology Risks: An IT Audit Risk & Controls Guide
From content creation and scheduling to transmission, advertising, and revenue management — a practitioner’s guide to understanding, auditing, and controlling the full radio broadcast value chain across Kenya, East Africa, and the continent.
Radio remains one of Africa’s most powerful and pervasive media platforms — and one of the least scrutinised from an IT audit and risk perspective. Across Kenya, Uganda, Tanzania, Rwanda, and the wider continent, radio broadcasters operate complex, technology-dependent business processes that generate significant revenues, handle sensitive listener and advertiser data, and operate under increasingly demanding regulatory regimes. Yet most internal audit functions treat radio as a “simple” business. It is not. This guide maps the end-to-end radio business process and equips IT auditors, risk managers, and assurance professionals with the tools to interrogate it rigorously.
The Radio Industry in Kenya and East Africa
Kenya alone is home to more than 120 licensed radio stations operating across AM, FM, and digital platforms, regulated by the Communications Authority of Kenya (CA) under the Kenya Information and Communications Act. Across East Africa, the landscape is similarly dense: Uganda’s Broadcasting Council oversees over 200 stations; Tanzania’s Tanzania Communications Regulatory Authority (TCRA) licenses another 100-plus. Regional media groups — including Nation Media Group, Royal Media Services, Radio Africa Group, and Standard Group — operate multi-station networks with centralised technology stacks and shared content infrastructure.
The business model has evolved substantially. Traditional advertising revenue is increasingly supplemented by digital streaming, mobile-integrated content, SMS and USSD listener engagement, podcast distribution, and data-driven audience measurement. This evolution has introduced material IT dependencies across every phase of the radio value chain — from content origination to revenue realisation — creating a risk surface that demands structured audit attention.
The End-to-End Radio Business Process: What Actually Happens
Radio broadcasting is not simply “talking into a microphone.” It is an integrated chain of business processes spanning content origination, production, scheduling, transmission, audience engagement, advertising fulfilment, and financial reporting. Each process domain carries distinct operational activities, technology dependencies, and risk exposures. Understanding what actually happens — operationally, in real life — is the foundation of effective IT audit.
Process Domain 1: Content Creation & Production
What actually happens: Programme producers, journalists, and on-air presenters create content across two primary categories — live and pre-produced. Live content includes news bulletins, talk shows, sports commentary, and drive-time programmes broadcast in real time. Pre-produced content encompasses recorded interviews, sponsored features, jingles, advertisements, drama serials, and syndicated content from international providers.
In practice, a Kenyan radio station running a morning show will have its presenters arrive at 04:30–05:00 for pre-show preparation. Producers pull scripts from a newsroom system (commonly iNews, ENPS, or locally developed tools), confirm running orders in a digital rundown system, load audio clips into a Digital Audio Workstation (DAW) such as Adobe Audition or the radio-specific Burli or Dalet platform, and brief presenters on commercial breaks. Simultaneously, journalists are filing stories from the field via mobile apps or WhatsApp, which are received, verified, and edited by a digital editor before being cleared for broadcast.
Content libraries and newsroom systems often have weak access controls. Disgruntled employees or external attackers who gain access can delete, modify, or leak pre-produced content — with immediate on-air consequences. At several East African stations, content has been corrupted ahead of key political broadcasts.
When journalists file content via WhatsApp, email, or consumer cloud platforms, there is no inherent verification of source authenticity. Fabricated or manipulated audio files introduced into a newsroom system can result in broadcast of false or defamatory content, with regulatory and legal consequences.
Newsroom and DAW systems should enforce least-privilege access, with producers unable to publish to transmission without editorial sign-off. Audit should verify user access matrices against job roles and test whether terminated employees retain system access.
All content modifications should be logged with timestamps and user IDs. Version control on pre-produced content files prevents unauthorised substitution. Audit should inspect whether DAW and newsroom platforms maintain immutable logs of content changes.
Process Domain 2: Programme Scheduling & Playlist Management
What actually happens: Every minute of a radio station’s broadcast day is planned in advance through a programme schedule managed in a traffic and scheduling system — commonly RCS NexGen, Selector, Myriad, or custom-built tools used across East Africa. The scheduling team allocates airtime blocks to programmes, music rotations, news, and commercial breaks. Music libraries — which for a typical Kenyan FM station may contain 20,000–60,000 tracks — are managed within the scheduling platform, with music scheduling algorithms rotating tracks based on category, tempo, daypart, and audience preference data.
Advertising slots are injected into the schedule by the traffic department, which cross-references confirmed sales orders from the advertising management system (AMS) against available inventory. The traffic operator produces a final hourly log — called a broadcast log or play list — which is exported to the on-air automation system. This log governs every second of the broadcast: which jingle plays at 07:02, which advertisement runs at 07:05, when the presenter microphone opens at 07:08.
Audit Insight — The Scheduling-to-Billing Integrity Gap
One of the most significant and underappreciated risks in radio broadcasting is the integrity gap between the advertiser’s booked spot, the scheduled broadcast, the actual transmission, and the invoice raised. Across East African stations reviewed by Sentinel Assurance Partners, we have identified instances where advertisements were invoiced but not broadcast, broadcast but not invoiced, or broadcast in the wrong daypart — constituting fraud risk, revenue leakage, and contract breach simultaneously. The scheduling-to-billing process chain is a critical audit priority.
Final broadcast logs should be locked and access-controlled once approved. Post-lock modifications should require dual authorisation and generate an alert. Audit should test whether the lock function is operative and examine modification logs for unapproved changes.
Automation systems should generate an as-broadcast log capturing every item actually transmitted with timestamps. The traffic system should automatically compare scheduled versus as-broadcast and flag discrepancies for management review within 24 hours.
Plays of licensed music must be tracked and reported to collection societies — including MCSK (Music Copyright Society of Kenya) and PRISK (Performers Rights Society of Kenya). Systems should automatically generate play reports; audit should verify completeness and accuracy against royalty payment records.
Advertising contracts specify the daypart (morning drive, daytime, evening) in which spots must air. Automated monitoring should flag daypart violations. Audit should sample as-broadcast logs against booking orders to quantify the rate of daypart non-compliance.
Process Domain 3: Transmission & Technical Operations
What actually happens: The on-air automation system — running on dedicated broadcast servers — reads the broadcast log and sequences audio playout through audio consoles and mixing desks to the studio output. This signal passes through silence detection systems, audio processing equipment (to normalise loudness levels as required by the CA), and then to the transmission chain: either direct to FM transmitters (for terrestrial broadcast) or via satellite uplink, IP streaming, or fibre to transmitter sites, remote transmitters, and digital platforms.
For a station like Radio Maisha or Classic 105 operating from Nairobi with regional transmitters in Mombasa, Kisumu, and Eldoret, the transmission infrastructure includes multiple transmitter sites linked to the main studio via microwave links or fibre circuits leased from Telkom Kenya, Safaricom, or Airtel. A transmitter fault at 07:30 on a weekday morning during peak listener hours represents not only a technical failure but a contractual breach of advertising commitments and a potential CA regulatory violation if the outage exceeds prescribed thresholds.
Many East African radio stations operate without redundant transmission paths. A single failed microwave link, power outage at a transmitter site, or automation server failure can take a station off-air entirely. The risk is compounded by unreliable grid power in regional transmitter locations, making UPS and generator management a critical operational control. Audit should map the full transmission topology and identify single points of failure.
The on-air automation system is the single most critical IT asset in a radio station. Compromise of this system — whether by ransomware, insider manipulation, or configuration error — can result in broadcast of inappropriate content, silence, or competitor material. Several African stations have experienced automation failures resulting in hours of dead air during high-revenue periods.
Broadcast-grade resilience requires a primary automation server with a hot-standby system capable of taking over within seconds of a primary failure. Audio storage should be mirrored. Audit should verify that failover has been tested within the last 90 days and that test results are documented. Reliance on untested failover is not a control — it is a gamble.
Transmitter sites should be monitored 24/7 via a remote monitoring and control (RMC) system that tracks transmitter status, power levels, antenna parameters, and site environmental conditions (temperature, generator fuel level). Alerts should escalate automatically to on-call engineers. Audit should verify monitoring coverage, alert thresholds, and escalation procedures.
Process Domain 4: Advertising Sales, Traffic & Revenue Management
What actually happens: Radio advertising is the primary revenue stream for most commercial stations in Kenya and East Africa. The advertising sales process begins when a client — directly or via a media buying agency — submits a booking order specifying the station, campaign period, number of spots, preferred dayparts, and the audio creative (the advertisement itself). The sales team records this in the advertising management system (AMS), which checks inventory availability and generates a booking confirmation.
The traffic department converts approved bookings into the broadcast schedule. Once the campaign period concludes, the AMS generates a post-broadcast reconciliation (called an “affidavit of performance” or “certificate of broadcast”) by comparing booking orders against as-broadcast logs. Finance then raises invoices. Payment collection — often complex given the involvement of media agencies acting as intermediaries — is managed through the ERP or accounting system, which must reconcile receipts against invoices and manage credit control for agencies that routinely pay on 60–90 day terms.
If the AMS does not automatically reconcile bookings against as-broadcast data, advertisements that air without a corresponding booking — or bookings that are not correctly invoiced — result in unrecovered revenue. Manual reconciliation processes are error-prone and frequently circumvented, particularly in high-volume periods like political campaign seasons or festive advertising windows.
Users with access to both the AMS and the billing system can create fictitious bookings, generate invoices, and redirect payments. In East African broadcast environments where financial controls are often weaker than technical controls, this fraud vector has been exploited. Segregation of duties between sales, traffic, and billing is a critical preventive control.
When a booked spot fails to air (due to schedule changes, technical faults, or pre-emption), the station is contractually obliged to provide a “make-good” spot at equivalent or better value. Failure to track and fulfil make-goods constitutes breach of contract and, cumulatively, represents significant revenue-equivalent liability.
Sales executives with system access to override standard rate cards can discount rates beyond approved thresholds to secure bookings, at the expense of station revenue. Without automated approval workflows and rate override audit trails, these discounts may be invisible to management until annual variance analysis.
Process Domain 5: Digital Operations, Audience Engagement & Data Management
What actually happens: Modern Kenyan and East African radio stations operate a parallel digital business alongside the FM transmission. This includes: live streaming via website and mobile app; podcast distribution through platforms including Spotify, Apple Podcasts, and locally developed aggregators; SMS and USSD listener interaction for competitions, dedications, and polls (generating telco revenue-sharing arrangements); WhatsApp community management; social media broadcasting; and integration with audience measurement platforms such as IPSOS Synovate’s listenership survey system used across East Africa.
The digital layer generates and processes significant volumes of listener personal data — names, phone numbers, location data, social media profiles, and interaction histories. This data is used for audience segmentation, targeted advertising, competition management, and revenue-sharing reconciliation with telco partners. It falls squarely within the scope of the Kenya Data Protection Act 2019, requiring lawful basis for processing, data subject rights management, and breach notification obligations — regulatory requirements that most radio stations have not fully operationalised.
Kenyan radio stations increasingly accept direct listener payments via M-Pesa for competitions, event ticketing, and premium content. The integration between M-Pesa’s API, the station’s competition management system, and the finance ERP creates a multi-system reconciliation requirement that is frequently not automated — leaving material exposure to unreconciled receipts and misappropriation of mobile money competition proceeds.
Stations that distribute content via third-party streaming platforms lose direct control over availability, user data, and revenue reporting. Platform outages, algorithm changes, and contract disputes can eliminate digital revenue streams with little notice. Third-party risk management frameworks should be applied to these platform relationships.
The emergence of generative AI tools capable of synthesising convincing voice audio creates a new content integrity risk. In the East African context — where radio is a primary vehicle for political communication — the broadcast of AI-fabricated audio attributed to public figures represents both a regulatory risk and a national security concern. Stations need content authentication protocols that current newsroom systems do not provide.
Consolidated IT Risk Register for Radio Broadcasting
Drawing the five process domains together, the following represents a consolidated IT risk landscape for a Kenyan or East African radio broadcaster, structured in the format used by IT auditors and risk committees:
-
Content IntegrityUnauthorised Content Modification or DeletionWeak access controls on newsroom and DAW systems allow internal or external actors to modify, delete, or substitute content ahead of broadcast, with immediate reputational and legal consequences.
-
Schedule IntegritySchedule-to-Broadcast Reconciliation FailureAbsence of automated reconciliation between the traffic system’s booking log and the automation system’s as-broadcast log creates undetected revenue leakage, advertiser fraud exposure, and regulatory non-compliance.
-
TransmissionTransmission System UnavailabilitySingle points of failure in the transmission chain — automation servers, microwave links, transmitter sites — expose the station to broadcast outages that breach advertiser contracts and CA licence conditions.
-
RevenueAdvertising Revenue Fraud & LeakageInsufficient segregation of duties across sales, traffic, and billing systems, combined with weak approval workflows, enables fictitious bookings, rate manipulation, and invoice fraud.
-
Data PrivacyListener Data Non-ComplianceCollection and processing of listener personal data via SMS, apps, and digital platforms without adequate consent management, data minimisation, and breach notification capability creates exposure under the Kenya Data Protection Act 2019.
-
Third-PartyUnmanaged Third-Party Technology RiskManaged service providers for automation, streaming, and cloud storage have privileged access to broadcast infrastructure without adequate contractual security requirements, SLA monitoring, or exit planning.
-
CyberRansomware & Targeted CyberattackRadio stations are increasingly targeted by ransomware actors who recognise the reputational leverage of taking a high-profile broadcaster off air. Broadcast IT systems often lack endpoint detection, network segmentation, and incident response capability.
IT Controls Framework for Radio Broadcasting
The following controls map directly to the risks identified above and are structured in the format used in IT audit programmes, aligned to the COBIT 2019, NIST CSF 2.0, and ISO/IEC 27001:2022 frameworks. Controls are categorised as Preventive (P), Detective (D), or Corrective (C).
Implement role-based access control (RBAC) on all broadcast-critical systems — newsroom, DAW, scheduling, automation, AMS, and ERP. User provisioning should follow a formal request-approval process; access should be reviewed quarterly; terminated employees must be deprovisioned within 24 hours. Privileged access to automation and transmission systems should require multi-factor authentication (MFA). Audit test: extract current user access lists and reconcile against active HR records.
The automation system must generate a comprehensive as-broadcast log that is automatically compared against the traffic system’s booking log daily. Variances — spots scheduled but not aired, spots aired but not booked — must be escalated to the traffic manager and commercial director within 24 hours. Audit test: sample three months of as-broadcast logs; independently reconcile against booking records and invoices; quantify unrecovered revenue from discrepancies.
No single individual should be able to create a booking, approve a rate override, generate an invoice, and record a receipt. System configurations should enforce this separation; where staff numbers make full SoD impractical (as in smaller East African stations), compensating controls — including weekly management review of the full billing cycle — must be documented and tested. Audit test: map system permissions against the four-stage revenue cycle; identify SoD conflicts and test compensating controls.
A tested Business Continuity Plan (BCP) must address: automation system failure, primary studio loss, transmission link failure, and power outage at transmitter sites. Recovery Time Objectives (RTOs) should be defined for each scenario; for a commercial FM station, the RTO for automation recovery should not exceed 15 minutes. RTOs must be validated through live DR tests, not desktop exercises. Audit test: review BCP documentation; verify test dates and results; assess whether RTOs align with CA licence conditions and advertiser SLAs.
For each digital listener engagement channel — SMS competitions, app registration, WhatsApp groups — a Data Protection Impact Assessment (DPIA) should be completed in accordance with the Kenya Data Protection Act 2019 and the Data Protection (General) Regulations 2021. Consent records must be captured, stored, and retrievable. A documented procedure must exist for responding to data subject access requests within 30 days. Audit test: review DPIAs for completeness; test consent capture mechanism; submit a sample data subject access request and measure response time and completeness.
Regulatory & Framework Mapping
IT auditors operating in the radio broadcast sector in Kenya and East Africa must navigate a multi-layered regulatory landscape that spans sector-specific broadcast regulation, data protection law, financial reporting requirements, and voluntary international frameworks. The following mapping aligns key radio business process risks to the applicable regulatory and framework requirements:
Regulatory & Framework Reference Matrix — Radio Broadcasting (Kenya & East Africa)
- Kenya Information & Communications Act (Cap 411A): Broadcast licensing, transmission standards, content regulation
- Communications Authority of Kenya: Licence conditions, broadcast standards, spectrum management
- Kenya Data Protection Act 2019: Listener data processing, consent, breach notification
- Data Protection (General) Regulations 2021: DPIAs, data subject rights, cross-border transfers
- Kenya Revenue Authority / Income Tax Act: Revenue recognition, withholding tax on agency commissions
- COBIT 2019: IT governance and management objectives for broadcast IT
- ISO/IEC 27001:2022: Information security management for broadcast systems
- NIST CSF 2.0: Cybersecurity framework applicable to transmission and digital infrastructure
- MCSK / PRISK / KECOBO: Music licensing, royalty reporting, copyright compliance
- Broadcasting Standards Act (Tanzania / Uganda): Regional broadcast compliance for multi-market operators
- GDPR (extraterritorial): Applicable where stations process data of EU residents via streaming
- IAS 18 / IFRS 15: Revenue recognition for advertising contracts and multi-element arrangements
Audit Programme: Key Questions for the IT Auditor
Questions every IT auditor should ask when reviewing a radio broadcaster:
- Is there an automated, daily reconciliation between the traffic system booking log and the automation system’s as-broadcast log? Who reviews it, and what happens when discrepancies are found?
- Who has the ability to modify a broadcast log after it has been approved by the traffic department? Is this access logged? Has it been used in the past 12 months?
- What is the Recovery Time Objective for the on-air automation system, and when was this last tested in a live exercise?
- Does the station have a documented and current data register covering all listener data collected through SMS, apps, competitions, and digital platforms? Has a DPIA been conducted for each collection channel?
- How are music play logs generated, reviewed, and submitted to MCSK and PRISK? Is this process automated, and what is the error rate between actual plays and reported plays?
- Who can create a new advertiser account and approve a rate override simultaneously in the AMS? Are there documented SoD exceptions, and what compensating controls are in place?
- Have all third-party vendors with access to broadcast systems been assessed against a vendor risk framework? Do contracts include security requirements and audit rights?
- What is the station’s documented response to a breach of listener personal data under the Kenya Data Protection Act 2019? Has this been tested?
Conclusion: Radio Is a Technology Business. Audit It Like One.
Radio broadcasting in Kenya and across East Africa is no longer a purely analogue, low-technology operation. It is an integrated, IT-dependent value chain in which content management systems, scheduling platforms, automation servers, transmission networks, advertising management systems, digital streaming infrastructure, and mobile engagement platforms are all interconnected — and all exposed.
The IT auditor who approaches a radio station engagement without understanding what actually happens — who touches the automation system, how a booking becomes a broadcast, how listener data flows from an SMS competition into a database — will miss the risks that matter most. The frameworks exist: COBIT 2019, NIST CSF 2.0, ISO 27001, the Kenya Data Protection Act, the Communications Authority’s licence conditions. The discipline required is to map them to the operational reality of the broadcast floor.
Sentinel Assurance Partners works with media organisations, regulators, and broadcast groups across Kenya and East Africa to design and execute IT audit programmes that reflect the real risk landscape of the radio business. If your organisation operates in the media sector and has not subjected its broadcast technology stack to structured IT audit scrutiny, the question is not whether risks exist — it is how large they have grown in their absence.


