We're having trouble with PCI scope of compliance. There's some debate in our organization over whether the Qualified Security Assessor (QSA) needs to examine applications and network segments that we consider out-of-scope. Is it typical for the QSA to simply examine and validate our documentation, or is a thorough examination of out-of-scope assets common?