I was just talking to a local client of mine in the US, and they actually require this when they contract audits and pentests. They are an educational institution, and we must disclose a list of the points that will be tested before the audit, then provide a summery of the points that were tested after the audit.

I found this link to start making my document of "what will be tested." https://beaglesecurity.com/blog/web-application-vulnerabilities-index.html however I was a bit disappointed when I got the results of my first test. It didn't list out all the tests and a note about them, with findings or no findings.