Sox docuemnt is actually a group of practices that specific to different kinds of companies and the departments in the company.

As far as auditors, they get to make up the rules of what needs to be audited and at what level.  This is where management gets involved.  We 3 sets of auditors.  Internal, External Consultant, External Audit.  The consultant was suppose to help us formulate our own rules and practices (since the external can not make direct contributions, only tell us if we pass or fail).  What gets my goat, is we went through this and ended up with 380 items for evaluation from the consultants.  Our first audit (2 years ago), the external auditors said more than 1/2 were unacceptable or not needed.  We not have 92 items.  Each item contains 3 to 25 questions/lines.

Long and short, work with auditors, when they are unreasonable, it up to management to push back.

Most practices are easy to do and after you been through it, the quarterly stuff does not take long.  We only have 1 item that is not acceptable.  Protecting the systems from the DBA's (thats me).  We have eveluated several products.  Each would satify audit, but I showed them how I can get around them (I am not a good hacker), and each cost $100,000 plus.

Good luck,

Joseph