I would also add that as well as securing the database as much as you can in terms of removing unnecessary accounts as has been suggested and applying acls as appropriate you should also consider the following:

1. Separation of duties - You should ensure that any audit data is held securely, is tamper proof, and cannot be modified by any privileged users

2. Metrics - Look at specific metrics within the Database to assess the overall health (ideally this should be automated in some way). For example number of failed logons, one user one ip, access to sensitive stored procedures. In this way you will overtime be able to build up a picture of the health of the database.

3. Audit - Automate the audit process so that you can get a clear picture of who, what, when and how in terms of DB access. This needs to be granular right down to field level within the DB.

4. Keep as much of the auditing process separate from the DB (external to the Database) and DBA's as possible. This could be achieved using third party tools in conjunction with the auditing functions of the database environment (as a backup).

I'm not sure if all of these are relevant to SOX etc but they are desirable / good practice from a security perspective at least.

My 2 cents.