The auditors should research he concept of "arms length transactions" this is a standard method for dealing with people having multiple roles in financial transactions. i.e. the corporation I own all of the stock in wants to give me a check for personal expenses. The way this is handled is simple. First do everything like it is separate people. Second, document everything. Third do everything by the book.
So log everything done on a production server, and don't do any development work when you're working on the production facilities. If you want be completely covered, log all of your development work as well. Dev work logs can be looser, but this will give a documentable trail of the two separate activities.
We recently moved our datacenter and went through this whole discussion. The Finance/Sr Mgmt/Auditors all pulled that same argument that I couldn't have the SA password nor be a local admin on the box.
I agreed but only on the condition that they (the trustworthy ones --their words) were to be the "key masters". When our folks at overseas offices started calling me at 3 in the morning, I gave them the phone numbers to these trustworthy ones, a meeting was called very quickly to resolve this issue. (I actually go some decent sleep those three nights!)
The end result of the meeting was:
1. I am back were I am able to do my job (SA and local admin). We implemented many standardized procedures that can be documented and followed which is the real meaning of SOX and ultimately what the auditors are looking for.
2. I did use it to get most of the developers off the production boxes and for them to create more of an admin interface to do their jobs.
3. They now have a much bigger appreciation/understanding for the number of hours that we work and our job skills.
4. We had a serious and meaningful discussion about data security, job roles and responsibilities.
I hate politics as much as anyone but sometimes it has to be played when they won't come in with an open mind.
Sox is not the problem here, but the lack of understanding of what sox requires of us. People are always with their finger on the trigger waiting to say it's a sox issue and must be under control when in fact not everything that is a problem is a sox issue. Let's not confuse sox with red tape. Sox is good, lots of red tape is not good.