Security Audit/Pen Test

Is it standard practice to grant those who are seeking to test the integrity of our systems root/admin access? It would seem to me that this is irregular given our training and policies about not giving anyone who shouldn't have admin or root access such access...

Furthermore the vendor wants to make config changes so that their scans can run, once again, going against policy and best practices.

I can't help but wonder if this IS the test...