You may have been part of it but you clearly do not have a good comprehension of it. In another comment you stated "Another great example is password rotation. The law demands you have a password rotation policy.". This is completely false, Section 404 deals with the adequacy of the company's internal control on financial reporting (ICFR), it does not contain such specific IT mandates or requirements.
As you mentioned, Sarbanes-Oxley is written at a very high level but that is meant to provide flexibility for a wide range of companies and their associated IT systems. It can be implemented badly if neither party truly understand the requirements, which looks to be the case here.
> It can be implemented badly if neither party truly understand the requirements, which looks to be the case here.
On that I totally agree with you. But my main point is that the law is so poorly written, almost no one, including most auditors, don't understand it, and you end up with a lot of "better safe than sorry".
If you're someone who truly understands the law then I applaud you and I wish you were my auditor, but is seems that almost no one is as well informed as you, which is the crux of the problem.
As you mentioned, Sarbanes-Oxley is written at a very high level but that is meant to provide flexibility for a wide range of companies and their associated IT systems. It can be implemented badly if neither party truly understand the requirements, which looks to be the case here.