I'm a former Big Four auditor, on the financial side, but I worked pretty closely with our tech folks and I'm now in the tech industry. SOx really does have very strict internal control requirements on financial data and how and where it can pass between systems and people, whether technological systems or physical ones. I've worked with clients who used strict password rotation to fit the law, as well as with clients who didn't do this. As long as the policies are clearly spelled out, do not allow those who are no longer supposed to have access to have access, and are consistent across the organization, it's all good. For example, one company I worked with changed passwords to one system only when someone rolled off the team working on it. That happened infrequently, but more than once a year. The policy was clear, written, and consistent, so it fit the internal control criteria.
Really, we'd need to find what are called 'material weaknesses' or 'significant deficiencies' to make us really stop and consider writing up a finding that would be published. 'Material weaknesses' are considered worse, and would likely lead to the possibility of a material misstatement in the financial statements of the firm. Deficiencies are a step below that. If the firm corrects them, we're okay for the most part, unless the weakness was terrible.
Really, we'd need to find what are called 'material weaknesses' or 'significant deficiencies' to make us really stop and consider writing up a finding that would be published. 'Material weaknesses' are considered worse, and would likely lead to the possibility of a material misstatement in the financial statements of the firm. Deficiencies are a step below that. If the firm corrects them, we're okay for the most part, unless the weakness was terrible.