Ed -

There is a chance you will be OK with this if the data your Users are accessing with the 'sa' account is just Report data and not the actual core Financials. I recently survived a 6 month SOX audit and the focus was on access to the core Financials in JD Edwards. There was little interest in the Reporting application (Cognos) as it was a derivative of the core Financials. There was no interest in the CRM system (Pivotal). All were on a different SQL Server backend instances.

Remember, their job is to see that there are procedures in place to adequately protect shareholders from 'Cooking the Books'. 'Cooking Reports' is a completely different thing.

If this Sysadmin access is granted on a server that also holds the core Financials, then you've got some explaining to do. Your procedure might indicate that access is restricted to 3 Users and only from a single workstation located in the locked Payroll area between the hours of 8 and 11 AM while in the presence of at least two comapny Financial Officers.

Then again, you might just create a SQL Server role (if you can't stop to figure out what permissions are needed then even 'dbo' would be better than 'SysAdmin), Add your users to the Role, turn on SQL Server Success/Failure Login auditing and call it a day. For my recently completed audit, that most likely would have passed as compliance (with copious screenshots and a document of course).

One more bit of advice... be responsive to their requests, provide what they ask for and put all docs in a repository for later reference. You will be asked to provide many of the same things again and again by different auditors.

This is all survivable! Best of luck!

Stuart