Board-level IT/IT Strategy Committee with documented charter
Primary statement
Board IT Committee operates as: (1) Board-level IT Strategy Committee with experienced directors advising on IT strategy, governance, oversight (RBI ITGRCA GV.1); (2) Board IT Committee with documented charter, membership including at least one director with IT expertise, defined cadence (SEBI GV.2); (3) Board overall responsibility for IT governance (RBI ITGRCA GV.8); (4) periodic IT risk review at three levels — senior management quarterly, AC half-yearly, Board annually (RBI ITGRCA RM.16); (5) RACI matrix including the IT Committee (SEBI GV.6); (6) CISO direct access to the IT Committee (SEBI GV.3).
Audit-fatigue payoff
A documented Board IT Committee charter + membership credentials + meeting calendar + minutes evidencing substantive discussion satisfies Board IT governance requirements across all 7 contributing frameworks. The director-with-IT-expertise requirement is the audit-defensible membership specification.
Strictness matrix
Scope
Scope: Board-level IT Committee (or equivalent) with documented charter, defined membership including at least one director with IT expertise, defined cadence. The IT Committee covers IT strategy, cyber resilience, IT risk, IT assurance.
Ceiling source: sebi_cscrf:CSCRF.GV.2
Rationale: SEBI CSCRF GV.2 explicitly specifies membership and charter requirements.
Threshold
Threshold: at least one director with IT EXPERTISE on the Committee. The IT expertise requirement is binary — substantive IT/cyber background, not just professional director experience.
Ceiling source: sebi_cscrf:CSCRF.GV.2
Rationale: SEBI CSCRF GV.2 IT-expertise threshold is uniquely strict.
Method
Method: (1) Board IT Strategy Committee with experienced directors (RBI ITGRCA GV.1); (2) documented charter with terms of reference; (3) membership including at least one director with IT expertise (SEBI GV.2); (4) defined cadence (quarterly typical); (5) CISO direct reporting access (SEBI GV.3); (6) substantive minutes showing IT/cyber discussion; (7) integration with three-tier risk review (RBI ITGRCA RM.16); (8) Board overall responsibility (RBI ITGRCA GV.8) for IT governance.
Ceiling source: rbi_itgrca:ITGRCA.GV.1
Rationale: RBI ITGRCA GV.1 + SEBI GV.2 + RBI ITGRCA GV.8 combine to the most prescriptive method.
Frequency
IT Committee meetings: quarterly typical for active oversight. Board IT discussion: at least annual per RBI ITGRCA RM.16 (more frequent for critical entities). Charter review: annual.
Ceiling source: sebi_cscrf:CSCRF.GV.2
Rationale: Quarterly IT Committee with annual Board substantive discussion is the audit-defensible cadence.
Evidence
Required evidence: (1) IT Committee charter with terms of reference; (2) membership composition with IT-expertise director(s) identified + credentials; (3) meeting calendar; (4) meeting minutes showing substantive IT/cyber discussion; (5) CISO reporting access evidence; (6) three-tier risk review records (RBI ITGRCA RM.16); (7) Board IT governance evidence (RBI ITGRCA GV.8).
Ceiling source: sebi_cscrf:CSCRF.GV.2
Rationale: SEBI CSCRF GV.2 evidence with IT-expertise director credentials is uniquely strict.
Auditor test pattern
Step 1: Inspect the IT Committee charter. Step 2: Inspect membership composition; verify at least one director with substantive IT expertise (credentials review). Step 3: Inspect meeting calendar; verify quarterly cadence. Step 4: Inspect 4 quarters of minutes; verify substantive IT/cyber discussion (not just reports received). Step 5: Verify CISO direct reporting access. Step 6: Verify three-tier risk review per RBI ITGRCA RM.16.
Common findings
Common 2024–26 findings: (1) IT Committee charter exists but no IT-expertise director; (2) Minutes brief, informational, not substantive; (3) IT Committee meets quarterly per charter but cancels frequently; (4) CISO reports through CIO/CTO, not directly to IT Committee; (5) Three-tier risk review collapsed to one (Board only).