I haven't done this in awhile, but there really isn't any "acceptable number" of admins. It should be the people that need it and no one else. No extras.

The thing with SOX is that we treated it very much like ISO and the creed was "say what you do and do what you say". So document what the access rights are and who needs them and then prove you've done it by having a record of someone being granted access. It can be email, but it should be some log, print or digital, that notes when you grant access.

The same thing applies for the rest of the systems. Document the backup strategies needed and then have a doc that shows you checked to be sure they were working. We used to keep an Excel doc and have a report run of backups each day. We reviewed the report and initialed in the Excel file to show we were checking backups. Our Excel file had all sorts of columns for daily and weekly checks that were just the tasks we regularly performed.

SOX isn't hard, but it is work. And it requires tedious documenting and following your documentation. Once you get in the habit, it's not bad.