Hi,
As far as SOX compliance in SAP Security is concerned, Its about system audit. There are some control against which audit is conducted on following things:-
1) SODs are meet.
2)TR movement from DEV -> PROD are documented with approval (Risk assesment/UAT)
3)Password policies are maintained in system (Restricting some password/ Expiration Policies)
4)Critical t-code are restricted (We can use fire fighter ID for giving critical t-code authorisations)
5) Fire fighter IDs should be with onwer
6)Periodic review of authorisations/access should be done.
7) Organisation leaver's user id should be restricted.
8) user ids without name are not allowed.
There are some other controls ;I have mentioned some controls aginast which SOX audit is conducted.
Regards,
Rahul