OpenBSD combines two seldom used techniques. First, not having millions of lines of code written by random untrusted people. This allows them to use the second technique, which is to actually read their code.
Well, that is not good enough. How can you proof that already read (audited) code wasn't tampered afterwards by a hacker? If you don't use cryptographic hashes you can't.