I don't think anything is documented.  We are implementing SOX too and I am guessing most of these "rules" are coming from someone's hiney.  It's all subjective at this point. 

AJ makes some great points though.  I think if you follow what he is saying, you will survive any SOX audit.