Are you under the misimpression that KPMG or PwC to fill out a checklist will catch a back door? They’re looking for things like whether your servers have an old OpenSSL library or your code doesn’t escape values in SQL, which is pretty low-hanging fruit even on hosted apps and much less valuable for local apps.