As part of our preparation a couple years ago, I prepared a very detailed "Scoping, Documentation, and Testing Guidance" handbook for management that outlined the approach (i.e. scoping, entity-level assessment, pilot assessment, company-wide assessment, and annual certification), including definitions for risks, controls, etc... I also prepared standardized templates and documentation requirements (e.g. standard file naming conventions). I utilized in great detail the IIA's "Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners" handbook, which can be downloaded for free from
www.theiia.org. This provides a great roadmap for beginning the process. And yes, for specialized areas like IT, this was outsourced. We maintained all our documentation in Word and Excel.