This forum thread also provides some guidance:

SOX and SQL server 2000

However, SOX compliance isn't a "cookie cutter" type of thing. So you'll probably finding yourself tweaking things based on what your internal auditors suggest / cite as weak controls. The best approach is to work with your auditors to determine the types of controls they are looking for and then building a security structure around that. External auditors who are validating controls are of limited use in this respect because they have to maintain independence. This is why it's not unusual for two external audit organizations to be brought in: one to help determine remediation steps and another to actually do the attestation.