What you need to do (by the letter and spirit) is to get into what is called “Release Engineering” or “Release Administration”.
What it amounts to is isolation of the programmers from the production systems – with controls to make sure that what the programmers wrote is what you’re duplicating.
The key steps involved here are:
Archival of changes (RCS, VCS) in a verifiable manner – There are both commercial and “free” versions of source code version/revision control systems.
The programmers can compile their own code – simply because they need to make sure that it does what they intended – but – then they submit all source code, make files, etc. to the RA/RE folks who essentially clone the programmer’s development environment, and then compare their binary output to what the programmer submitted.
This covers not only the possibility of “hidden” source code, but also the more likely and common omissions of a forgotten header file, compiler upgrade or other trivial error that might result in the final product not being what the programmer intended.
Properly done, this also covers the organization from the “hit by a bus” or disgruntled employee scenario.
On a slightly humorous note – there’s a cartoon that shows a widow weeping over a gravesite, and a man speaking to her saying “I know this is a difficult time, but did he ever say anything about source code?”
Hope that helps,