At first you should have a good feeling about the company doing that business. Ask for references, where they did pentests before, if and which securityflaws they have found.
Well if you are looking for a webapp pentester he should have experience in webbapp pentesting. There are so many certs out there, well I can't say just go by certs. There are a couple of certs just about the theory and/or management aspects not saying anything about their hands on knowledge. OSCP and OSCE are two certs where you can be sure that the person has at least some hands on experience and thinks outside the box (that is required in order to solve the exam challenge, especially for OSCE).
Well what is the difference for you between a pentest and vuln scan?
About the reports, that depends on the pentester/company you are hiring.
What do you expect yourself?
I'd say a detailed overview of the vulnerabilities, the consequences they have (i.e. data extraction possible) and ways to solve the issue for your IT department (if you have one).
That is what is coming directly to my mind. Might have some more ideas later on.