Heres a draft of whats currently in use by my employer all specific info dropped:
Attack & Penetration Authorization Form
The "Insert authority here" has authorized "Insert Tester Here" to operate and conduct A&P testing within Company's environment. All A&P program activities must be approved in advance, in writing, by the "Insert Authority Position here" or Executive responsible for the system to be tested.
Affected Business Unit(s) or Department(s)
Targeted System(s) - (insert very specific information here, detailing the specific systems that you will target, and potentially what may NOT be targeted.
Objectives (insert what you are trying to test for here. This is a reasonable general statement attached)
Authorized testing personnel will assess physical and logical network/system security and privacy controls in systems identified. The assessment will entail both passive and active means of information gathering.
Authorized personnel will attempt to gain access to sensitive private or proprietary information in an effort to evaluate the security measures currently enacted, and provide recommendations for improvement.
Affected Business Unit / Department Authorization
Signature / SOA Date