You're getting good advice on this thread, Mary, and I hope it's helpful.
With SOX, you have to be a publicly-traded company. If you're private, you're not subject to SOX (although it's not a bad idea to go ahead and put together the documentation).
I know you didn't ask about PCI, but since there's some discussion around that here, it's pretty cut and dried. If you're in the business of collecting, storing or transmitting credit card data that contains customer indentifiable information, you're subject to PCI. If you accept payments over the web, you're subject to PCI. However, if you use a third-party's web app that accepts and processes the payments, then just sends you the funds, you can get out of it. PCI is very hot right now with identity theft being one of the top white collar crimes today.
There are a ton of remediation firms and PCI-certified auditors who will help you on both ends of the audit, but they will not do your documentation. This is where I put in a shameless plug for our company ... we do PCI and SOX documentation. :-)