Auditing the code is not enough, we would need to audit the state of the server since most of these servers allow ssh access the state of the system can be changed at any time by an operator.