I would reach out to the external company requesting assistance answering the auditors. They should be able to help you identify what belongs on them, what belongs on you and how to best respond.
You may not be processing any credit card data, but who has the encryption keys when sending to your processor.
Main question to ask is "can my company see any credit card data (pan, cvv)? If you can prove you can't see any of this data, everything should be out of scope. If you can't prove this then I understand why the assessor wants you to scan everything.
If you're using a hosted payment page linked from your website or are using end to end encryption from PEDs to your payment provider then your scope of compliance work is much reduced but not entirely eliminated. Completing the SAQ questionnaire should indicate where you need to focus. In term of card holder data discovery it's still worth doing, because there could still be legacy card data somewhere on your IT estate that has been retained in error.