There are a number of product categories you can use to do a risk assessment. But don't be fooled into thinking that a tool will be a panacea to keeping your SOX auditors happy.
First, look at vulnerability scanners that can test networks, systems and applications. These are usually three separate product categories, but since any of your systems can be compromised by any attack vector, you'll need all three in order to compile a comprehensive list of what is vulnerable.
You may also want to look at an automated penetration-testing product. There are both open source and commercial options available; these can take vulnerability scanners to the next level and help you determine not only what is vulnerable, but also what can be exploited.
Finally, consider some good old-fashioned elbow grease in your risk assessment as well, in the form of a penetration test performed by humans. This can help you understand both the physical and logical places where your networks and/or systems can be compromised. Software is still evolving and can't really evaluate all of the social engineering techniques that modern-day hackers employ.
So in a nutshell, it's a little more complicated than going