Protiviti Contact

Protiviti Contact

Thomas Lemon

Managing Director


Thomas is a Director based in London within Protiviti’s IT Consulting practise. He joined Protiviti in 2004 to help launch the UK business, having previously worked at one of the ‘Big 4’ firms in their Technology Risk division. Tom has considerable experience providing IT Consulting solutions to large global financial services clients. He is also responsible for leading Protiviti’s global account activities for a top 10 global bank. Tom specializes in leading large, global security and IT risk programs and assessing and enhancing program governance structures to ensure business objectives can be met efficiently and effectively, within organizational constraints. Tom also specializes in identity and access management, IT security, IT governance, IT risk management, end user computing, and project risk management.


  • Cyber Security Strategy: Tom led an engagement at a large global asset management firm to help them shape and document their three-year information security strategy. His team worked with the company’s CISO and his management team in order to understand the firm’s strategic vision and objectives, information security risks, and the seven initiatives they have put in place in order to achieve these objectives and mitigate the identified risks to within appetite. The strategy was designed to help the organization achieve best-in-class information security practices and in doing so, deliver on the firm’s regulatory obligations and internal control objectives.
  • Security Policy Framework: Tom led a project to design and document an IT and Information Security policy framework at a global services company. The policies were based on industry good practices, including the CESG ‘10 steps to cyber security’. The policies used an innovative structure that Tom’s team designed, which catered for executive stakeholders and IT users across the Group. The CIO and IT leadership team provided very positive feedback and the policies were implemented globally.
  • Cyber Security Review: Tom led a comprehensive business-risk focused cyber security assessment at a global commodity trading firm. He worked with senior management stakeholders across the business to understand and explore key business risk scenarios of concern, their points of dependency on IT systems and information, their potential impact to the business and their likelihood based on the current state of the security control environment. Tom also worked with the business to understand their risk appetite relative to these risk scenarios. The top-down risk assessment was enriched with a bottom-up assessment of their security control environment, using the CESG ‘10 Steps to Cyber Security’ framework as a benchmark.
  • Logical Access Management program: Tom was the program manager for a significant Logical Access Management program at a global bank. The objective of the program was to implement an identity and access management solution and operating model to enhance the joiner, mover, leaver and recertification controls across the bank’s most critical applications and IT infrastructure platforms. Protiviti was asked to step into the program at a point where it was off track, drive delivery of near term critical milestones and reshape the program in order to get it back on track to deliver within overall program timelines.
  • Unauthorized Trading program: Tom led a project to implement segregation of duty controls across a large global investment bank’s most critical 500 applications to separate system access required by Traders and Non-Traders. The project was driven by a regulatory requirement that was delivered under considerable time pressure during an intensive 6-month period. The project involved designing, building and implementing enhancements to the bank’s identity management platform at pace using agile principles. The project on-boarded the 500 applications into this toolset, including established SoD rules. All SoD violations were then remediated and a BAU SoD violation management function was put in place. Tom’s team designed, built and operated the BAU SoD violation management function for the bank for over 2 years.
  • Privileged Access Program: Tom led a team that supported the global implementation of privileged access management tools and processes across IT infrastructure platforms in a global bank. His team project managed key components of the design, planning and implementation stages of the program and designed and implemented enhancements to the overall program governance structure. Tom’s team managed the implementation of a tool to manage shared accounts with privileged access (CyberArk). They were also responsible for documenting and implementing processes, procedures and a service support model for this solution.
  • Supplier Audit: Tom led an audit of the external WAN provider for a large global bank. The review was of several ITIL processes that the supplier operated in support of two critical services they provided to the bank. Our review covered the supplier’s Change Management, Incident Management, Problem Management and Hardware and Software Lifecycle Management processes. We were asked to mobilize a team within 24 hours to conduct the review, due to a recent series of major incidents that impacted the services. We achieved this mobilization and completed the review in the required timescale. We received positive feedback from our client stakeholders and the report helped our client negotiate a satisfactory response to the incidents that occurred impacting those services and associated control breakdowns. The report was communicated to the CIO and to other senior management in IT.
  • Identity Management Solution Implementation: Tom led a project to design, build and implement a new recertification tool for a global bank, which formed part of their strategic identity management platform. The tool was built in order to cater for huge volumes of system access data across the bank and a new workflow based recertification model. Tom also designed and implemented enhancements to the bank’s logical access management operating model based on the new solution and the business requirements that it was designed to achieve.
  • Global End User Computing Program: Tom led the European team supporting the delivery of a global project to improve the controls around EUC applications across a large global energy business, including their trading division. He also shared global project manager responsibilities and reported directly to senior client stakeholders. Tom’s team was responsible for implementing good practice design standards across hundreds of EUC applications developed in Excel and Access. He was responsible for designing and delivering global training activities across the Group and contributing towards sustainable governance processes. Tom supported the implementation of the ClusterSeven spreadsheet change control system across the Group for the most critical EUC applications.
  • Sourcing & Supplier Management Process Enhancements: Tom led a project to enhance a global bank’s sourcing and supplier management processes in order to cater for additional control requirements and better manage logical access risk presented by suppliers. The project delivered updated contract schedules, including specific control objectives that suppliers would be required to meet, enhanced supplier assurance processes, in order to monitor control effectiveness at suppliers, and an improved mechanism to review supplier services in order to determine the scope of control objectives that suppliers must meet.
  • IT Risk Management Program: Tom defined the IT risk and control governance framework for a large global bank, in accordance with their internal enterprise risk management policy and aligned to the COBIT framework. Tom led a team that set and agreed IT control requirements in Group policy, defined key indicator reporting requirements for monitoring risk hot spots and implemented processes to identify IT control deficiencies resulting in non-compliance with policy and to monitor remedial activities. Tom worked with business and IT executive level stakeholders to embed the risk and control framework across the organization.
  • IT Risk Management Transparency Project: Tom designed and implemented a process to interpret and communicate technology risk and control information from the IT organization of a large global bank to its customer business units as part of a global transformation program. Tom managed a large number of senior stakeholders, chaired multiple working groups and steering committee meetings, delivered detailed process maps, a reporting toolset and supporting materials and managed the implementation of these across the firm.
  • Trading Business End User Computing Project: Tom supported a project to map critical front office processes and managed a subsequent phase of the project to improve controls around the development and use of spreadsheets at a large, multinational oil and gas company. Tom documented and implemented a Business Critical Spreadsheet Policy, including supporting governance processes and training program. He liaised extensively with key business and IT sponsors to identify and publish a workable set of control processes to support the key principles defined in this policy. Tom developed a spreadsheet analysis methodology using a combination of automated tools and manual techniques. He also managed a team of developers responsible for performing remedial actions to address spreadsheet design deficiencies identified via this analysis approach.
  • IT Governance Project: Tom designed a framework to improve the governance of intra-group third party IT service providers at the UK company of a large insurance group. The framework included an agreement between parties, a consistent set of control objectives, a reporting and monitoring process and a consideration of ongoing assurance activities.
  • Distributor audits: Tom performed European-wide distributor audits on behalf of a large multinational information technology hardware manufacturing and research firm. Tom helped develop the distributor audit methodology based on his review of contracts between the IT firm and its distributors. He extensively applied his data analysis skill set to model key contractual terms and conditions in automated routines with the purpose of using client and third-party data to recalculate rebates and program related payments to identify instances of overpayment.
  • Sarbanes-Oxley Compliance Projects: Tom provided consulting services supporting a number of large multinational organizations, primarily within the Banking, Energy, Manufacturing and Service industry sectors, achieve and maintain compliance with the Sarbanes-Oxley Act. Tom recently provided SOX consulting services to a global bank, assisting them with their year 1 to year 2 transition. The client’s objective was to move from an expensive project to an efficient and effective ongoing compliance process. To help achieve this, Tom streamlined the General Computer Controls methodology by implementing a risk based approach and an improved issue assessment process. Tom has also managed large teams responsible for delivering IT process documentation and controls testing activities in support of achieving Sarbanes-Oxley compliance.
  • Royalty Audits: Tom managed the royalty audits of two European licensee locations of a leading global apparel company. The audits looked at the completeness and accuracy of the licensee’s royalty calculations and the appropriateness of deductions from reported sales. In addition, an analysis of shipping locations was performed to identify if licensed goods were being sold to locations not included in contract terms. Manual techniques were combined with data analysis activities to conduct the audit efficiently and effectively.
  • Royalty Audits: Tom conducted a series of royalty audits at a licensed manufacturer that used his client’s intellectual property. Tom used manual and automated audit techniques to recalculate the royalty payments due and validate conformance with selected contract clauses.
  • IT Audit – Project Methodology: Tom reviewed the project methodology being used by a large media company. His focus was on the requirements specification process for a sample of projects across the organization’s portfolio. Thomas was responsible for meeting with key stakeholders, identifying areas of non-compliance with internal policy and identifying opportunities for improving the process in accordance with best practice principles.
  • Application Controls Review: Tom managed a review of application controls across two instances of SAP in client locations across Europe. Tom used Protiviti’s Assure Controls tool to perform a snapshot analysis of key configurable controls within SAP. He identified effective key controls to be incorporated into the client’s Sarbanes-Oxley documentation and highlighted critical settings that were not good practice and presented a potential risk to the firm.
  • Security Review: Tom evaluated the adequacy of systems and processes established by client management to administer and secure network routers and firewalls at a large media company. Tom managed a team that was responsible for organizing and completing all aspects of the audit. He conducted key stakeholder meetings and reported results directly to the Head of IT Audit. The final report included observations and recommendations that were discussed and agreed with all business owners and the Head of Internal Audit before being issued.
  • Application Baseline Testing: Tom worked with business and IT staff at a large multinational oil and gas company to baseline a number of key financial applications to support the company’s Sarbanes-Oxley compliance activities.


  • Cyber Security
  • Identity and Access Management
  • IT Governance & Risk Management
  • Project, Program & Portfolio Management
  • End User Computing
  • IT Audit


  • Financial Services
  • Energy


  • IT Consulting


  • MMATH Mathematics (Hons) University of Bath
  • Certified Information System Auditor (CISA)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Project Management Professional (PMP)
  • Prince 2
  • ITIL


  • Barclays
  • BP
  • British Sky Broadcasting
  • BlackRock
  • Co-operative Bank
  • Compass Group
  • Gazprom Marketing & Trading
  • Morgan Stanley
  • TSB
  • Universities Superannuation Scheme
  • Zurich Insurance Company