I had something similar happen
Back in the early naughties, one of our cusotmers was a name-brand diamond reseller, who was at the time setting up an early B2B diamond marketplace, hosted on our kit.
Given the size of any potential fraud, they sent in a set of security auditors to check out our setup. All good, I spent the day with them in our datacenter which was at the time pretty advanced. Think guards behind bullet proof doors, multiple man traps etc.
Problem was, on the second day, I was badly delayed due to a car accident (mine!) and turned up around 3 hours late. At this point I found the auditors had
a) convinced the guard to let them in seeing as "they were here yesterday"
b) used a boot disk and snagged a copy of the SAM DB from the NT4 severs
c) scampered with that file to try their hand with l0phtcrack to try to break any weak passwords
Needless to say, we failed the audit.