My point about SAS70 is that your customers want to know their data is safe with you and that you aren't adding people to roles like sysadmin without great care. Rotating developers into production support and giving them sysadmin while they are in production support just seems risky to me.
Absolutely, however SAS70 isn't exactly a certification of competence to do the job - so it doesn't matter if the developer has the ability to do DBA tasks (perhaps they can just follow documented procedures when issues arise?), just that they have a true need to be given that access (obviously someone needs to provide support). As long as the number of people given the rights is kept to a minimum and other procedures followed such as removing someone that rolls off the support team, then it may not be a big deal. Having said that, separation of duties is going to come into the picture at some point - are there encrypted fields in the app that a dev knows how to decrypt, can they figure out another users id and password, are code reviews in place to ensure they don't add in a back door entry method etc. Issues like this can possibly be addressed through very strict formal processes but I doubt your auditors would be entirely happy with it.