We schedule the scans, the pen tests and the IT audit as three separate engagements. The scans are the most frequent and then the pen tests. When we schedule the IT audit (the internal controls piece as Jen says,) we discuss how long it's been since the scans or pens. May or may not repeat during the audit, but it's usually a separate engagement.