I don't think anything is documented. We are implementing SOX too and I am guessing most of these "rules" are coming from someone's hiney. It's all subjective at this point.
AJ makes some great points though. I think if you follow what he is saying, you will survive any SOX audit.