If the controls shouldn't be in scope based on the risk analysis, then they should be able to be disabled. Different systems require different controls. Sometimes more, sometimes less, than the generally accepted best practices in whatever compliance standard you are measuring against. If a control costs you more than the value of the asset it protects, get rid of it, period. Only your business can make that determination, then, of course, you ave to prove it to the auditor.