Skip to Content
avatar image
Former Member

SAP Document Flow and Completeness of Tcodes

I am a new internal auditor that is working within SAP. I am quite new to the system, so I have been trying to learn as much as I can from this site. The module that I am specifically looking at is materials management. I am wondering whether there is information within SAP around the document flow around different types of transactions. For instance, I know that a standard materials management inventory purchase would following the following basic flow: RFQ --> Quotation --> Purchase Req --> Purchase Order --> Goods receipt --> Invoices - > Accounting.

Additionally, I know that there are standard Tcodes to perform these tasks - for instance ME21N for PO creation. That being said, I am also aware that there are other Tcodes for PO creation (ME21, ME25, ME58 to name a few). As an auditor, I am hoping to view something around the completeness of Tcodes for each stage of the material management flow. For example, I need to ensure that I audit and evaluate the appropriate access for every Tcode that has the ability to create a Purchase order. How can I get this information?

In line with that thought, how can I ensure that all Tcodes that allow the ability to create a PO are actually required to go through the PO release procedures configuration? Is there some sort of document flow that lays out flow of a transaction within MM? I am confused because it seems like there are different way to execute similar tasks within SAP - for example ME28 and ME29N for PO release. I am concerned about the potential that the configuration for a certain Tcode could allow for the ability to bypass certain key parts of the process, thus, allowing inappropriate or unapproved transactions. I am hoping that a complete listing of Tcodes by procedures, along with document flow information could help to fill in the gaps in my understanding.

Again, I apologize if this question is very elementary. I am very new to working with SAP. Thanks in advance; I really appreciate your insights.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Apr 16, 2018 at 08:30 PM


    I have little to offer for direct answers to your questions, but I feel we have a better community when everyone gets a response.

    First, I would recommend the SAP Help and Learning sites, in addition to this community to get started in learning. They offer more organized knowledge, instead of trying to answer specific questions.

    Both of your question sets deal with using different TCodes to complete the same process. With the Enjoy transactions (tabs, some end in "N") the GUI allows going from, for example, Display to Change, within the same TCode. It's a better user experience. And you still need specific authorization, regardless of TCode.

    For the questions about authorizations, I would recommend you spend some time with your security team to see the many dimensions of authorizations. TCode is only one of many. To create a PO, the user also needs authorizations for the Object (PO), along with the PO Type, PurchaseOrg, Purchase Group, and others. Many companies are now using SAP's GRC (Governance, Risk, and Compliance) (or some bolt-on equivalent) to evaluate the appropriate access. I also know that, over the years, several external auditors developed tools to check authorizations.

    For PO Release, it is based on the configuration parameters, without a direct tie to which TCode created the the PO. Your MM Support team can produce a report for you that shows all the POs, whether they had a Release, which Release Code was used, etc. I know that several external auditors developed similar reports to check, over the years.


    Add comment
    10|10000 characters needed characters exceeded