Pick a cliché that makes sense here. Where the rubber meets the road, for instance. Reporting is where it really all happens. You can spend days or weeks doing the actual testing, but if you don’t report it, what was the point? When you are trying to get the attention of someone who may actually be able to fix the issues that you found, you need to deliver a professional presentation and be able to explain the issues in a very clear manner. It’s important to convey your findings in an objective fashion so someone who doesn’t understand information security will be able to comprehend what you are saying. They also need to be clear about what you believe should be done as a result of what you found. Indicating how to fix the problem is where you can really add value. If you just toss a report on someone’s desk explaining where they have a lot of problems and then leave, you aren’t being very helpful to them, though they will have a report that they can use against an audit. In the end, though, just being able to say that they did a penetration test to get an audit checkmark isn’t going to be helpful. In six months or a year when they run the test again for their audit requirements, the findings will still be there, and a decent auditor will make note of that.