Choosing between BARR Advisory and Schellman is a decision we help cloud-native startups and growth-stage companies navigate frequently. Both firms have built strong reputations in the technology sector and compete directly for the same client profile, but they approach the SOC 2 audit relationship differently: BARR Advisory is a smaller, cloud-focused firm that has grown rapidly by specializing in technology companies and cloud-native organizations, offering a personalized engagement experience with consistent audit teams and deep familiarity with modern technology stacks. Schellman is a larger, established CPA firm with a broader service portfolio including FedRAMP, HITRUST, PCI DSS, and ISO 27001 alongside SOC 2, providing multi-framework capability and a deeper bench of specialized assessors. In our experience helping clients select auditors, both firms deliver high-quality SOC 2 reports that are well-recognized by enterprise buyers, but they differ in ways that matter depending on organizational size, framework requirements, audit complexity, and the client experience priorities that influence day-to-day satisfaction with the audit relationship.
This comparison evaluates BARR Advisory and Schellman across engagement approach, pricing, industry focus, framework coverage, firm size, and client experience, helping organizations select the right auditor for their specific needs.
Firm Overview
BARR Advisory at a Glance
| Dimension | Details |
|---|
| Founded | 2017 |
| Headquarters | Kansas City, Missouri |
| Firm size | Mid-size; approximately 100-200 employees |
| Primary focus | Cloud-native technology companies; SaaS platforms |
| Key services | SOC 2, SOC 1, HITRUST, ISO 27001, penetration testing |
| Client profile | Startups, growth-stage, and mid-market technology companies |
| Industry reputation | Known for responsiveness, modern engagement approach, cloud expertise |
| Platform compatibility | Works with Vanta, Drata, Secureframe, and other compliance platforms |
Schellman at a Glance
| Dimension | Details |
|---|
| Founded | Originally founded as Schellman & Company; established CPA firm history |
| Headquarters | Tampa, Florida; additional offices across the US |
| Firm size | Large; approximately 300-500 employees |
| Primary focus | Broad technology and compliance focus; multi-framework expertise |
| Key services | SOC 2, SOC 1, FedRAMP, HITRUST, PCI DSS, ISO 27001, penetration testing, CMMC |
| Client profile | Growth-stage through enterprise; government contractors; healthcare technology |
| Industry reputation | Known for technical depth, multi-framework capability, assessment rigor |
| Platform compatibility | Works with major compliance platforms; significant experience across all platforms |
Head-to-Head Comparison
Engagement Approach
| Dimension | BARR Advisory | Schellman |
|---|
| Team consistency | Consistent engagement team across audit cycles; same people year over year | Generally consistent but larger team rotation possible on complex engagements |
| Communication style | High-touch; responsive; accessible; startup-friendly communication | Professional; structured; thorough; enterprise-appropriate communication |
| Client onboarding | Streamlined onboarding; quick scoping; efficient kickoff | Structured onboarding; detailed scoping; comprehensive kickoff |
| Fieldwork approach | Efficient; leverages compliance platform evidence; minimal disruption | Thorough; comprehensive testing; may require more evidence interaction |
| Report turnaround | Generally 2-4 weeks after fieldwork completion | Generally 3-6 weeks after fieldwork; complex reports may take longer |
| Advisory capacity | Provides guidance throughout engagement; advisory tone | Assessment-focused; maintains independence; advisory through separate engagements |
Pricing Comparison
| Factor | BARR Advisory | Schellman |
|---|
| SOC 2 Type II (startup, standard scope) | $20,000-$40,000 | $25,000-$50,000 |
| SOC 2 Type II (growth stage, expanded scope) | $30,000-$55,000 | $35,000-$65,000 |
| SOC 2 Type II (mid-market, complex scope) | $45,000-$75,000 | $50,000-$90,000 |
| Multi-framework discount | Available; discount for combined assessments | Available; significant multi-framework experience |
| Year-over-year pricing | Generally stable; modest annual increases | Generally stable; established renewal pricing |
| Pricing transparency | Relatively transparent; scoping-based quotes | Quote-based; may vary by scope complexity and framework combination |
Industry Focus
| Industry | BARR Advisory | Schellman |
|---|
| SaaS / Cloud-native | Core specialization; deep expertise | Strong; large SaaS client portfolio |
| Fintech | Growing practice; familiar with PCI DSS overlap | Strong; combined SOC 2/PCI DSS capability |
| Healthcare technology | HITRUST-certified assessor; growing healthcare practice | Strong HITRUST practice; extensive healthcare experience |
| Government / FedRAMP | Limited FedRAMP focus | Major FedRAMP practice; 3PAO accredited; government specialization |
| E-commerce / Retail | Moderate experience | Strong PCI DSS practice supports e-commerce clients |
| Enterprise technology | Growing enterprise client base | Established enterprise practice; complex assessment capability |
Framework Coverage
| Framework | BARR Advisory | Schellman |
|---|
| SOC 2 | Core offering; primary specialization | Core offering; significant volume |
| SOC 1 | Available | Available |
| ISO 27001 | Available | Available |
| HITRUST | HITRUST assessor; growing practice | Established HITRUST practice |
| PCI DSS | Limited; may partner for PCI | Qualified Security Assessor (QSA); strong PCI practice |
| FedRAMP | Limited | Major 3PAO; FedRAMP specialization |
| CMMC | Emerging | Growing CMMC practice |
| Penetration testing | Available as add-on service | Available; integrated with assessments |
| Privacy assessments | SOC 2 Privacy criteria | SOC 2 Privacy; standalone privacy assessments |
Detailed Evaluation
Scoring Comparison (1-10)
| Category | BARR Advisory | Schellman | Notes |
|---|
| Startup fit | 9 | 7 | BARR more accessible and right-sized for startups |
| Growth stage fit | 9 | 8 | Both strong; BARR more personalized; Schellman scales better |
| Enterprise fit | 6 | 9 | Schellman better equipped for enterprise complexity |
| Technology expertise | 9 | 9 | Both deeply technical; cloud-native familiarity |
| Multi-framework capability | 7 | 10 | Schellman significantly broader framework coverage |
| Communication and responsiveness | 9 | 7 | BARR consistently cited for responsiveness |
| Pricing competitiveness | 8 | 7 | BARR generally more competitive for standard SOC 2 |
| Report quality | 8 | 9 | Both produce high-quality reports; Schellman more detailed |
| Brand recognition with buyers | 8 | 9 | Schellman more recognized by large enterprise buyers |
| Platform familiarity | 9 | 9 | Both experienced with major compliance platforms |
Strengths and Considerations
| Dimension | BARR Advisory Strengths | Schellman Strengths |
|---|
| Primary advantage | Personalized, responsive engagement; startup-friendly; cloud-native focus | Multi-framework breadth; enterprise capability; brand recognition |
| Engagement experience | Feels like a partnership; accessible team; low bureaucracy | Professional and thorough; structured process; reliable execution |
| Best for organizations that value | Responsiveness, personal relationships, efficient process | Technical depth, framework breadth, enterprise credibility |
| Consideration | Smaller firm may have capacity constraints during peak periods | Larger firm may feel less personalized; team rotation possible |
| Growth trajectory | Rapidly growing; expanding capabilities | Established and stable; continually expanding service offerings |
When to Choose Each Auditor
BARR Advisory Is Better When
| Scenario | Why BARR |
|---|
| First-time SOC 2 for a startup or growth-stage company | BARR's personalized approach, startup familiarity, and efficient onboarding reduce first-audit friction |
| SOC 2 is the primary or only framework needed | BARR's SOC 2 specialization provides focused expertise without paying for multi-framework overhead |
| Communication responsiveness is a top priority | BARR consistently receives high marks for accessibility and responsiveness |
| Budget is a significant factor | BARR's pricing is generally competitive for standard SOC 2 engagements |
| You want a consistent, small team across audit cycles | BARR's size means your engagement team stays consistent year over year |
Schellman Is Better When
| Scenario | Why Schellman |
|---|
| Multiple frameworks needed (SOC 2 + FedRAMP + PCI DSS) | Schellman's multi-framework capability means one firm handles all assessments with shared understanding |
| FedRAMP is required or planned | Schellman is a leading FedRAMP 3PAO; BARR has limited FedRAMP capability |
| Enterprise complexity (multi-entity, complex scope) | Schellman's larger team and enterprise experience handle complex engagements more effectively |
| Enterprise buyers specifically value the auditor's brand | Schellman's brand recognition with Fortune 500 procurement teams provides additional credibility |
| Government sector clients are a significant market | Schellman's government assessment experience (FedRAMP, CMMC) directly serves government client expectations |
| Long-term multi-framework compliance program | Schellman can grow with the organization as framework requirements expand |
Side-by-Side Decision Framework
| Decision Factor | Choose BARR If... | Choose Schellman If... |
|---|
| Company stage | Pre-Series A through Series C | Series B through enterprise |
| Framework count | 1-2 frameworks | 2-5+ frameworks |
| FedRAMP needed | No | Yes or planned |
| PCI DSS needed | No or separate assessor acceptable | Yes — combined assessment preferred |
| Budget priority | Cost-competitive option preferred | Willing to pay premium for breadth and brand |
| Engagement style | Personalized, high-touch preferred | Structured, enterprise-process preferred |
| Auditor brand for sales | SOC 2 report quality matters more than firm name | Enterprise buyers specifically recognize the firm |
Switching Between Firms
Considerations for Switching
| Direction | Key Considerations | Typical Reason |
|---|
| BARR to Schellman | Schellman may require re-understanding your control environment; expect more structured engagement | Adding frameworks (FedRAMP, PCI DSS) that Schellman handles better |
| Schellman to BARR | BARR will onboard quickly; expect more responsive communication; may save on cost | Seeking more personalized experience; primarily need SOC 2; cost optimization |
| Either direction | Keep the switch between audit cycles (not during observation period); expect a one-time transition investment | Misaligned expectations, pricing changes, or framework requirements shifting |
Key Takeaways
- BARR Advisory and Schellman both deliver high-quality SOC 2 reports recognized by enterprise buyers, but they serve different organizational profiles: BARR excels for startups and growth-stage companies that prioritize responsive communication, personalized engagement, and cost-competitive SOC 2 audits, while Schellman excels for organizations requiring multi-framework assessments (SOC 2 + FedRAMP + PCI DSS + HITRUST), enterprise-scale complexity, and a firm with broad brand recognition
- Pricing differs by ten to thirty percent depending on engagement complexity, with BARR generally more competitive for standard SOC 2 engagements (twenty thousand to fifty-five thousand dollars for startup through growth-stage) and Schellman commanding a premium justified by broader framework capability and enterprise-grade assessment depth
- The most significant differentiator is framework coverage: Schellman is a leading FedRAMP 3PAO with strong PCI DSS, HITRUST, and CMMC practices, making it the clear choice for organizations needing multiple frameworks under one firm — BARR's SOC 2-centric focus means it delivers excellent SOC 2 audits but may not cover all framework needs as organizations scale
- Engagement experience differs meaningfully: BARR clients consistently cite responsiveness, personal relationships, and low bureaucracy as advantages, while Schellman clients value technical depth, structured processes, and the ability to handle complex multi-entity assessments — the right choice depends on which experience your compliance team values more
- For organizations unsure which firm to select, the decision often comes down to framework roadmap: if SOC 2 will remain the primary framework for the foreseeable future, BARR is an excellent choice with strong value; if additional frameworks (especially FedRAMP or PCI DSS) are on the three-year roadmap, starting with Schellman avoids a future auditor transition
- We help our clients evaluate auditor options based on their specific framework requirements, company stage, budget, and compliance program maturity — providing recommendations that account for both current needs and anticipated growth
Frequently Asked Questions
Can we use BARR for SOC 2 and Schellman for FedRAMP?
Yes — and this is a combination we recommend to clients regularly. Using different audit firms for different frameworks is common and practical. Many organizations use a specialized SOC 2 firm like BARR for their annual SOC 2 audit and a specialized FedRAMP 3PAO like Schellman for their FedRAMP assessment. The key consideration we flag for clients is that some efficiencies are lost when different firms perform related assessments — overlapping controls must be evaluated separately by each firm. If both frameworks are in your roadmap, consolidating under one firm that handles both (like Schellman) can reduce total audit effort. However, in our experience, using the best firm for each framework is a valid approach that many organizations prefer.
How do we decide if we are outgrowing BARR Advisory?
The signals we help clients watch for include: you are adding frameworks that BARR does not cover (FedRAMP is the most common trigger), your organization has grown to the point where multi-entity or complex scope assessments exceed BARR's typical engagement profile, or enterprise clients specifically ask about your auditor and expect a larger, more recognized firm name. If BARR continues to deliver high-quality reports, responsive service, and handles your scope effectively, we generally advise against switching simply because the organization has grown. Many mid-market companies we work with continue using specialized firms like BARR for SOC 2 while engaging larger firms for additional frameworks.
Will enterprise buyers care whether BARR or Schellman issued our report?
In our experience, most enterprise buyers evaluate the content of the SOC 2 report — scope, controls, exceptions — rather than the specific audit firm. Both BARR and Schellman issue reports that meet professional standards and are accepted by enterprise procurement teams. However, we have seen cases where some large enterprises (particularly in financial services and government) have preferred auditor lists, and Schellman's larger brand presence may carry more weight with Fortune 500 procurement teams. For the vast majority of enterprise sales, the quality and completeness of the report matters more than the firm name. If you are selling primarily to technology companies, SaaS companies, or mid-market enterprises, both firms are equally credible.
Should we get proposals from both firms before deciding?
We always recommend requesting proposals from both firms — and potentially other firms as well — as it provides valuable comparison data. Request proposals that include scope confirmation, team composition, timeline, pricing, and references. We advise our clients to use the proposals to compare not just price but engagement approach, team experience, and communication responsiveness during the proposal process itself — how a firm communicates during sales often predicts how they will communicate during the audit. Ask for references from organizations similar to yours in size, industry, and framework requirements.
