A great answer is posted next by Mark who makes some great observations including the fact that the actual requirements seem to be little understood and that auditors themselves are requiring things to be done that are not required as part of the legislation and that the cost of this fact will outweigh that of the true requirements. Mark also gives us a link to a Yahoo Group dedicated to Sarbanes Oxley and Oracle. The link is actually wrong in the Oracle-l thread. Mark also makes a good point about getting the DBA signed up to the "functional Team".
Paul as always makes a good contribution by giving us a link to Arups book about HIPAA and also to a paper by Arup about FGA and he makes a valuable point about SOX being so open to interpretation that its best to get advice from the auditors. Very interesting thread on this legislation.