The NSA could require that certain security properties of the system be held (e.g., all wire transmission and storage of data is encrypted with certain key management policies..) and a 3rd party (e.g., like an accounting firm) could be the one doing the audit.