The core message to Section 404 of the Sarbanes-Oxley Act is:
Issuers are required to publish information in their annual reports
concerning the scope and adequacy of the internal control structure
and procedures for financial reporting. This statement shall also
assess the effectiveness of such internal controls and procedures.
The registered accounting firm shall, in the same report, attest to
and report on the assessment on the effectiveness of the internal
control structure and procedures for financial reporting.
As all SEC registered companies (and almost all companies worldwide) rely on IT for their financials, you can see why servers, networks and IT are essential.
You are correct in that interpretation of certain SOx requirements can be variable, but some controls, such as only allowing privileged access to systems (ie root access) to those administrators who require it, make sense in many environments.
The problem companies have is that the requirement comes from the regulator who can effectively stop the company trading if requirements aren't complied with, so unless the company has an experienced team with enough time/resource to go in depth on requirements they may just place blanket rules just in case.
I'm hoping this question will be appropriate for this site. The ServerFault people didn't think it applied to system administrators. Certainly I think it can be answered from a security perspective, if nothing else.
Ever since the passage of Sarbanes-Oxley (SOX), IT departments around the US have used "SOX compliance" as an extremely broad reason for implementing all sorts of policies.
The thing is, as I understand it, there's not one-single mention of IT in the SOX act.
Specifically to address your points:
- No shipping a replacement laptop to your home address - this helps avoid theft in transit, shipping to the wrong address, or fraud (from you saying you never received it etc.)
- Root access on a Unix server - strong segregation of duties protects companies from fraud
- The git/mysql issue I can't really pin on a SOx requirement. It seems more likely that the policy on applications in that company required a certain level of support.
Typical policies in Fortune 100 companies that cover SOx are much longer than we could add in here. I have helped organisations with upwards of 80 policies, each one having over 20 pages that have elements of SOx related controls throughout. You can get generic ones from a number of places online, but to get value from them you need to tailor them to your company's specific needs.