T-Codes in SAP are components of the SAP system that are used to perform specific tasks and manage system permissions. For example, IT auditors can analyze T-Code holdings or usage history to identify anomalous behavior or security breaches. In doing so, IT auditors can assess an organization's overall system security and internal controls to improve them. From an IT audit perspective, monitoring the use of T-Codes can help identify anomalies or risks in the system. If someone is trying to access sensitive data, you can detect and respond to access attempts using the corresponding T-Code. 

# T-Code (Transaction Code): 

A T-Code is a short code used in SAP systems to perform a specific task or function. Users can enter a T-Code to directly execute that task or function. For example, to perform a user management task, you can use the T-Code "SU01". 

To accomplish these objectives, IT auditors can perform the following activities.

# Key T-Codes related to security and internal controls

T-Codes cover a variety of areas such as system and user security, logging and auditing, task and batch management, system monitoring, and more. Let's take a look at a few.

- SM19: Create, change, and manage audit profiles to select activities and transactions for logging.

- SM20: You can analyze audit logs and review success and failure records for user activity in the system. Used to analyze security audit logs, which record security-related events that occurred on the system, and can be used to review security policy violations, suspicious activity, and more.

- SM21: Used to view the System Log, which allows you to review system errors, warnings, and other messages. SM22: Used to view the System Log, which records system-wide events, errors, warnings, and more.

- ST03N: A transaction code used to analyze and monitor workload and performance data. You can see which transactions users are using the most on your system, which tasks are taking the longest time, and more. You can also view detailed performance metrics for instances, application servers, background tasks, and more to help you optimize system performance and identify issues.

- SM30: Provides a maintenance screen where you can view, create, modify, and delete table data. To use SM30, you must first have a table maintenance view defined, which allows you to make changes to tables. SM30 validates the data according to the rules defined by the maintenance screen as you modify it.

- SM31: SM31 provides the ability to view and change table data, but has limited functionality and a less intuitive interface compared to SM30. 

- SM36: Used to define and schedule batch jobs. Batch jobs can run periodically or be scheduled to run at a specific time.

- SM37: Allows you to view the status of executed batch jobs. You can review the progress of the job, its completion status, errors and warnings, etc.

- STMS: Used to transfer and manage development changes between SAP systems. You can review, approve, reject, or transfer transfer requests to other systems.

- DEBUG: Used to debug ABAP programs, you can interrupt, inspect, and modify running code. Normally, this permission should never be granted under normal circumstances and should only be granted on a need-to-know basis.

- SAP_ALL: This role provides access to all transactions and functions in the SAP system. This role carries a very high risk and should be used very sparingly. In general, it should never be granted in the normal course of business and should only be granted on a need-to-know basis.

- SAP_NEW: This role contains permissions added in new SAP releases and is used to verify and test access to functionality after an update. This role requires strict access control and should not be assigned to regular users. In general, this privilege should never be granted in the normal course of business and should only be granted on a need-to-know, temporary basis.

- SU01: Used to create, change, and delete user accounts. You can set user-specific roles and permissions, password parameters, and more.

- SUIM: Used to retrieve and analyze information related to users, roles, profiles, and authorizations. This allows you to review access by user and identify risks and conflicts.

- PFCG: Used to create, change, and manage roles and authorizations. You can assign transaction, table, and program access to roles.

- SE16/SE16N: Used to view and analyze data tables. You can also view table change logs to review data for manipulation.

SE16 is a transaction designed to simply look up data in a table, so you can't see the field structure of the table.

SE16N is a T-code used to retrieve data from a table, just like SE16, but you can also check the field structure of the table.

- SA38: This is a transaction code for executing ABAP programs, which allows users to execute standard or user-defined ABAP programs that exist in the system. This transaction code is primarily focused on program execution.

- SE38: Transaction code for writing, editing, running, and debugging ABAP programs. Using the ABAP editor, developers can make changes to standard or custom programs or write new programs. SE38 focuses on development and maintenance tasks and provides a wide range of features for developers.

- SE80: Used to search and manage objects (classes, function modules, programs, etc.) stored in the ABAP Repository.

- RZ10: Transaction code for managing profile parameters, allowing you to manage instance profiles and default profiles. You can look up and change profile parameters, or save and activate changes. Profile parameters include various configuration values, such as the system's memory allocation, buffer size, password policy, network settings, and more. 

- SU24: Allows you to set and manage default values for authorization objects and authorization field values. This allows you to automatically assign authorization values when creating roles.

- ST01: Used to determine relevant information, such as time spent, related to the activity of a particular user, transaction, or object within the system. It can help you analyze threads and filters to identify technical issues, such as performance problems. 

- SU53: Used to analyze authorization errors that occurred in the last executed transaction by user. If you receive an error message after someone tries to run a transaction, it shows the missing authorization object and transaction code. 

- SU25: Used to compare the default values of SAP authorization objects with the default values of user-defined authorization objects. This allows you to see how well your custom authorization settings match the SAP defaults.

- SU10: A batch processing tool that allows you to change user master data for multiple users at once. This is useful when you need to make a large number of user account changes. You can reset or change passwords for multiple users in bulk.

- SE93: Create, change, and delete transaction codes, and manage the program and screen information associated with them.

This list provides examples of the major T-Codes. T-Codes should be managed to meet your organization's information security and compliance requirements. 

The key is that each T-Code should be limited to those with a business need and granted to only the minimum number of people required.