A Vulnerability Assessment is a process of finding flaws in the target. Here, the organization knows that its system/network has flaws or weaknesses and wants to find these flaws and prioritize the flaws for fixing. Penetration Testing is the process of finding vulnerabilities on the target. In this case, the organization would have set up all the security measures they could think of and would want to test if there is any other way that their system/network can be hacked.