Also, even without a prior pentest the admins should have a rough idea where problems areas are (or maybe even know them for a fact but cannot completely patch/disable them to not lock out legacy systems or so). A completely empty report would definitely raise suspicions