All day every day it seems sometimes. I end up getting involved with interviews with the auditors and providing documentation around controls and architecting new solutions to mitigate some shortcoming. SOX isn't as bad as HIPPA, Fedramp or whatever since SOX is just guidelines and not hard and fast requirements. The big audit houses just follow the "you should have something in place for X" recommendations and start asking questions.
What is your standards addressing that control/need?
Can you prove you're following the standard, show me your documentation around that control/system?
What happens if you fail to follow that control?
Can you prove you haven't failed?
To keep your life simple you need
Good change management and trouble ticketing. Can you document and show approval for changes, do processes when they fail open incidents to document the failure/repair?
Centralized logging, go ahead and look into something like Splunk, Datadog, Mezmo, etc. Access control logging (user login/account locks/resets. account creation, add/removal from groups) all need to go there as well as logging for any systems doing data transfers, ftp, moving $, working with employee information, etc are all where auditors will look first.
A good system of controlling access and auditing use of elevated/privileged accounts, basically adopt a policy of least permissions possible on everything.
Then everything else starts layering on top of that
Configuration management on servers.
Endpoint configuration management.
Threat protection configuration and reporting.
Vulnerability scanning.
it goes on and on
Just accept as long as you work for a publicly traded company you'll always be implementing changes and new processes identified by your annual audits. The auditors and more than likely your board are always going to want to see better than last time, so some type of security score card is important so you can show hey, last year we were at 75%, this year we're at 80% because we implemented XXXXX, you just want to focus on that improvement and try NOT to have a failure in a control policy. The auditors are ALWAYS going to find something so it's important to be able to keep the conversation framed around "we're doing good in the following areas, here is where we've identified areas we can improve in and how we're going to address it before the next anual audit". If you don't then it's going to be "our IT department is a failure, just look at all XXXXXX found during their audit".