If a TRUE penetration test is conducting, all aspects of security should be considered for scope. SE should be part of the test regardless since it can be used as viable method into the system regardless if they tester comes through the front door posing as a fire marshal or if they send an email to a user posing as help desk. SE should be on the table.
My last job, they ran an internal and external test but they didn't want to use SE because they didn't want to alarm users. Really??? Don't you want to know if your Security awareness is working?? I just shook my head. The external network had a very limited attack surface. Only VPN and a Citrix portal was available. No OWA or any other web services were allowed in. Mail was filtering through our spam/av hosts so those ports weren't open directly. Granted if you compromised those anti-spam hosting provider you might be able to sneak in that way, but it is another hurdle for the attacker.
Needless to say, a well placed phishing email would most likely be the entry way in. No one will come to the front door. Even a phone call may work. Well regardless they CIO thought it was a good idea to outsource everything, including security so not my problem anymore. :-p
But yes, SE should be done, if not during the main test, then at least a couple times a year to test your security awareness training.
Today at BsidesDE we had a great panel discussion on why Info Sec sucks and if it was the fault of the users or us. We agreed that it was a little of both. And a point came up about testing the users to know if your message is really getting through.
Sorry for the long post. been up for 16 hours so... yeah, I need sleep.