SCM GRC Case Study — From SoD Conflict to 100% Audit-Ready Operations

Grain Warehouse LLC · Piscataway NJ · Aug 2025 – Apr 2026 · 8-month live implementation

Aligned with J&J Tech, Risk & Governance JD COSO Internal Control (2013) COBIT 2019 IIA Three Lines Model Lunarix Technologies LLC · Yiduo Xiao

SoD conflicts resolved

4 / 4

100% remediation · zero residual

Avg risk reduction

−74%

12 risks · inherent → residual

Billing dispute reduction

−12%

Detective control via WMS audit

Asset recovery rate

100%

3 / 3 insurance claims · ~$22K

Visual 1 — The universal language of risk

Risk Heat Map (5×5) — Inherent → Residual

Click any risk to see mitigation. Solid dots = inherent risk (before controls); ring dots = residual risk (after controls). Movement toward bottom-left = successful risk reduction.

High (15+) Medium (8–14) Low (≤7) ● Inherent · ○ Residual

Selected risk

Click a dot to see detail

Category

Inherent

—

Residual

—

Reduction

—

Mitigation strategy will appear here.

Visual 2 — High-agency moment · COSO Principle 10 violation

"Same person was negotiating carrier rates AND approving payments. I restructured ERP roles before anyone asked."

What I saw

A dispatch coordinator was both negotiating freight rates with carriers and approving payment release in the ERP. Textbook Segregation of Duties violation creating an unchecked financial exposure window — ~$28K monthly throughput with no second-eye check.

What I did (without being asked)

Restructured ERP role permissions to hard-separate rate negotiation (dispatch) from payment approval (finance / management). Added mandatory counter-signature step before any carrier payment release. Documented the SoD policy and ran a 3-week ERP access audit to verify no other dual-role conflicts existed.

What changed

Zero payment disputes attributable to authorization conflict post-implementation (vs 3 prior incidents). Unauthorized inventory adjustment risk −15%. The same audit pattern uncovered 3 other SoD conflicts — all remediated. This is GRC implementation from scratch in a live logistics operation.

Quantified before/after

Payment dispute incidents

3 → 0

Unauthorized inventory adjustment risk

−15%

Billing disputes (8-month trend)

−12%

Insurance claim recovery rate

100%

Visual 3 — IIA Three Lines Model (2020)

5-stakeholder supply chain mapped to Three Lines of Defense

The standard governance operating model used by every Big-4 audit firm and Fortune-500 risk function. Each line has independence from the line above.

1ST LINE OF DEFENSE

Operational Management

Owns and manages risk in daily operations

📦 Supplier (CN)Origin metadata, BOL accuracy, HS-code declaration

🚢 Vendor — Freight ForwarderRate quoting, invoice issuance, custody handoff to carrier

🚛 Carrier — Truck FleetSLA on-time delivery, weight measurement, POD collection

🏭 Warehouse Ops (Shipper 1L)Receiving, PDA scan, film-wrap SOP, dual outbound verification

COBIT DSS01DSS05

2ND LINE OF DEFENSE

Risk & Compliance Functions

Designs & monitors controls, independent of operations

🛡️ SoD Policy Owner (Shipper 2L)4 SoD conflicts identified & remediated · ERP role-based access control · Counter-signature workflow

📊 BI Cost Monitoring (Shipper 2L)Tableau real-time variance dashboard · Weekly distribution to all 5 stakeholders · 3 anomalies detected = $2,400 protected

📋 WMS Metadata AuditWeekly dim/weight reconciliation · 32 audits over 8 months · −12% billing disputes

COSO P10–P15COBIT APO12·APO13

3RD LINE OF DEFENSE

Independent Assurance

Independent audit & verification — outside the value chain

📋 Receiver — POD & Damage VerificationExternal downstream check on cargo integrity · Damage claim documentation · Independent of vendor/carrier

🗂️ SQL Audit TrailImmutable transaction log · 100% data integrity · 8-month archive available for external audit

🗓️ Weekly Anomaly Review (Mgmt)Independent meeting reviewing SoD flags, billing disputes, hold-cargo SLAs · Escalation protocol

IIA Three Lines (2020)MEA01·MEA03

Supporting evidence — COSO Internal Control mapping

Six core controls (of 13 implemented) mapped to COSO 17 Principles

Concise version. Full 13-control register, evidence artifacts, and audit-trail heatmap available on request.

Component	Control	Type	Status
Control Environment	Payment Authorization Separation — Carrier rate negotiation (dispatch) and payment release (finance) hard-separated in ERP; counter-signature required.	Preventive	Effective
Control Environment	SoD Policy — Procurement vs Receiving — Procurement authorization hard-separated from warehouse receiving; dual-signature at inbound.	Preventive	Effective
Control Activities	Dual Verification at Outbound Loading — Loader + supervisor independently count and sign before truck departure. Short-load incidents: 0 post-implementation.	Preventive	Effective
Control Activities	WMS Metadata Audit — Pallet Dims & Weight — Weekly reconciliation between Lingxing WMS and carrier measurement. 32 audits → −12% billing disputes.	Detective	Effective
Information & Comms	BI Dashboard — Real-Time Cost Monitoring — Tableau dashboard distributed weekly to all 5 stakeholders. 3 anomalies detected → $2,400 cost protected.	Detective	Effective
Monitoring	Weekly Anomaly Review — Independent meeting covering SoD flags, billing disputes, hold-cargo status, WMS discrepancies.	Detective	Effective

COBIT 2019 maturity uplift — 8 processes, average 1.0 → 3.5

Maturity progression at a glance

APO12 · Manage Risk

12-item risk register, monthly review

L1 → L3 (+2)

DSS01 · Manage Operations

SOPs + PDA scans + daily reports

L1 → L4 (+3)

DSS05 · Security Services

SQL audit trail + PDA accountability

L1 → L4 (+3)

MEA01 · Performance Mon.

Tableau BI · weekly distribution

L0 → L4 (+4)

Why this matters for pharma · J&J · Merck · BMS

The same controls that protect a warehouse protect a regulated supply chain.

The SoD remediation pattern, audit trail design, dual-verification SOPs, and weekly anomaly cadence I built at Grain Warehouse are structurally analogous to 21 CFR Part 11 data-integrity requirements in pharma manufacturing — same separation principles, same evidence-chain requirements, same independent-review cadence. This is why the role transfers cleanly to J&J Tech, Risk & Governance, IT audit, or GxP compliance analytics work.