BARR Advisory

About BARR Advisory

BARR Advisory is a Kansas City-based compliance and cybersecurity firm founded in 2014 by Brad Thies, a CPA, CISA, and CCSP with roots in Big 4 consulting. The firm operates remote-first, with a team of approximately 45 to 65 professionals serving 600+ cloud service organizations across 20+ countries and six continents.

BARR occupies a specific and defensible position in the market: one of a handful of US firms eligible to audit against all four of the highest-regarded security frameworks under one roof. SOC 2, ISO 27001, HITRUST, and PCI DSS. For growing technology companies that eventually need more than a single SOC 2, that continuity matters. You don’t restart the relationship with a new firm.

The firm rebranded in 2017 after passing its first peer review with the highest available rating, and has since grown steadily. Sister entity BARR Certifications handles ISO certification body functions as a separate legal entity, preserving the independence that accreditation requires. The firm’s promise on readiness: clear communication, an approachable team, and no surprises.

The Coordinated Audit Approach

The flagship differentiator BARR leads with is their Coordinated Audit methodology. The idea is straightforward: when a company needs SOC 2 and ISO 27001 and HITRUST, running three separate engagements with three separate evidence-collection exercises is wasteful. BARR structures one engagement that maps controls across all required frameworks simultaneously, eliminating duplicate requests and reducing total time for clients pursuing multiple certifications.

In practice, this means a company that needs SOC 2 + HITRUST r2 doesn’t hand the same evidence to two different teams in two different formats on two different timelines. It is collected once, mapped to both frameworks, and the audit is coordinated across both. Clients like ThreeFlow specifically selected BARR for this reason: knowing one firm could take them from SOC 2 through HITRUST without a handoff.

This is not a common capability. The accreditation depth required to offer all four frameworks legitimately is a significant barrier. Most specialist firms hold one or two; BARR holds all four.

Compliance Frameworks

BARR covers an unusually wide range of frameworks for a firm of its size:

SOC Reporting: SOC 1, SOC 2 (Type I and Type II), SOC 3, SOC for Cybersecurity

ISO Certifications (ANAB accredited via BARR Certifications): ISO 27001, 27017, 27018, 27701, 42001 (AI management systems), 9001, and 22301

Healthcare and Privacy: HITRUST CSF (e1, i1, and r2 levels), HIPAA / HITECH

Financial Services: PCI DSS (QSA firm with named QSAs)

Government and Defense: FedRAMP readiness (3PAO accreditation in pursuit), CMMC (C3PAO accreditation in pursuit), GovRAMP, DFARS, NIST 800-53, NIST 800-171, NIST CSF

Cloud Security: CSA STAR, penetration testing via Psicurity partnership

Advisory: vCISO services and security program consulting through a separate cybersecurity consulting practice

Accreditations

BARR’s accreditation stack is the hard-to-replicate part of its positioning. Licensed CPA firm under AICPA. ANAB accredited for ISO/IEC 27001 via BARR Certifications, re-accredited in May 2023 for the 2022 version of the standard. HITRUST Authorized External Assessor with multiple CCSFP-credentialed staff. CSA STAR auditor. PCI QSA firm. Angela Redmond, Partner and Director of Attest Services, received Consulting Magazine’s Excellence in Leadership Award in 2024.

FedRAMP 3PAO and CMMC C3PAO accreditations are both in active pursuit. Until those land, BARR handles FedRAMP readiness consulting in partnership with 360 Advanced for the formal assessment piece.

Two-Practice Model

BARR maintains a clean operational separation between its attest practice and its cybersecurity consulting practice. This matters for HITRUST and other frameworks with strict independence requirements: the team that performs your remediation work cannot be the team that signs your audit. BARR enforces this structurally rather than just procedurally.

In practice: if you engage BARR for a readiness assessment and gap remediation, a separate attest team handles the actual audit and report. The handoff is internal and coordinated, but the independence is real. Clients who want both readiness support and a certified audit get a seamless experience without compromising the independence that makes the report credible.

Platform and Tools

BARR has built out a proprietary tooling layer alongside partnerships with the major GRC platforms:

taskBARR is BARR’s internal audit management platform, referenced in client case studies as the primary coordination layer during engagements.

Compliance Compass, launched in August 2025, is a branded methodology and GRC enablement resource for clients and internal teams.

Audora is a strategic compliance-automation partnership that BARR reports generates a 30% efficiency gain per audit, which translates to less client burden during evidence collection.

Vanta MSP Partner: BARR is an official Vanta Managed Service Provider, meaning clients already using Vanta can run their compliance program natively alongside the BARR audit without context switching or re-importing evidence.

anecdotes is integrated for evidence collection (featured in the Codat case study). Drata and Secureframe are also supported.

Psicurity is BARR’s exclusive partner for penetration testing and vulnerability assessments.

Leadership

Brad Thies (Founder, CEO, and Managing Partner) holds CPA, CISA, and CCSP credentials and has led the firm since its founding in March 2014. His background is in Big 4 and major consulting firm work before going independent.

Noelle McMullen joined as COO and Integrator in January 2025, bringing prior experience at KPMG, Gartner, and as COO at MarkLogic. She is an expert practitioner of the Entrepreneurial Operating System (EOS).

Cameron Kline was elevated to VP and Attest Practice Leader in January 2026. He joined BARR in September 2020 from a Big 4 firm and served three years as Director of Attest Services before the promotion.

Aaron Hamlin joined as Practice Leader for Cybersecurity Consulting in November 2024, bringing federal and government compliance expertise including FedRAMP, FISMA, CMMC, and NIST 800-171.

Angela Redmond (Partner, Director of Attest Services), Dariek Howard (Director, Core SOC), Adam Jones (Vice President), and Jonnae Hill (VP, People and Culture) round out the senior team.

Pricing and Timeline

BARR does not publish pricing. The positioning is premium, justified by the coordinated audit capability and the accreditation depth required to deliver it.

Typical engagement length runs 4 to 9 months depending on scope and readiness. The OnRamp case study shows a SOC 2 completed end-to-end in three months. The Dagger engagement, using Vanta alongside BARR, ran approximately 50% faster than Dagger’s prior audit experience.

Methodology

BARR’s engagement structure follows a phased sequence: Readiness Assessment, Remediation (handled by the consulting practice), Audit (handled by the attest practice), Report, and then ongoing continuous monitoring support.

The Readiness Assessment deliverables include a System Scope definition, a prioritized gap list, and a Key Controls inventory. The explicit design goal is “no surprises” at audit: clients know exactly what needs to be in place before the audit period opens.

Separation of duties between the consulting and attest teams is maintained throughout. The team advising you on remediation is not the team signing your report.

Client Experience and Testimonials

Client feedback across published case studies is consistent on a few themes: BARR is approachable, they communicate proactively, and they function more like a security partner than a transactional auditor.

From C2FO: “They are a partner who genuinely cares about delivering the best possible results.” Brian Abent, CTO at Ceros: “BARR consistently finds a way and fits into our company culture. I know they have other clients, but it never feels like that to me.”

The multi-framework continuity benefit shows up directly in client decisions. ThreeFlow’s Shaheeb Roshan: “When we were selecting our auditor for the SOC audit, it was really important that we knew that the same auditor could support us to transition into HITRUST.” His follow-on observation: “Leading with the HITRUST certification allows us to skip ahead the gatekeeping conversations directly into how we can actually deliver value to our insurance carrier partners.”

For companies using compliance platforms, the Vanta MSP partnership has tangible outcomes. Dagger’s Sam: “BARR has brought deep security program expertise and helped us strategize, especially regarding what auditors will look for. I’m sure our engagement with BARR eliminated a bunch of unnecessary back and forths with our auditor.” OnRamp’s Lerner: “We’ve closed business deals that would have otherwise been lost if we didn’t have our SOC 2 report from BARR’s auditing experience.”

RFP360 reported a 90% drop in security requests following certification. Kinsta’s Nathan Bliss: “Our SOC 2 report and ISO certifications have become key differentiators in the market.”

Who Should Choose BARR

Best fit for:

• SaaS, IaaS, and PaaS companies that need SOC 2 now and will need ISO 27001 or HITRUST within 12 to 24 months. Starting with BARR means no re-onboarding later.
• Healthcare technology companies pursuing HITRUST alongside SOC 2. BARR has the accreditation depth and the coordinated methodology to run both.
• Companies already running Vanta who want an MSP-partner auditor embedded in the same tooling.
• Mid-market and enterprise technology companies with high-value data and regulated customers who need a firm that carries all four major framework accreditations.
• Y Combinator alumni and high-growth cloud-native startups that have outgrown the simplest SOC 2 and need a credible long-term compliance partner.

Not ideal for:

• Organizations with FedRAMP as their primary immediate requirement. BARR handles readiness and partners for the formal 3PAO assessment, but the in-house 3PAO accreditation is still pending.
• CMMC assessment needs: same situation, C3PAO accreditation in pursuit.
• Buyers prioritizing lowest possible cost for a single, simple SOC 2 engagement. BARR’s pricing reflects its coordinated methodology and accreditation overhead. Boutique-only single-framework specialists will come in cheaper.

Recent News

January 2026: Cameron Kline promoted to VP, Attest Practice Leader.

August 2025: BARR launched Compliance Compass, a branded GRC methodology and team-enablement resource.

January 2025: Noelle McMullen named COO and Integrator.

November 2024: Aaron Hamlin hired to lead the Cybersecurity Consulting Practice, with a focus on federal frameworks.

2024: Named to Ingram’s Best Companies to Work For and recognized as a Fastest-Growing Technology Company by the Kansas City Business Journal.

Bottom Line

BARR Advisory’s core value proposition is its accreditation stack and what that stack enables: a single firm, one ongoing relationship, covering SOC 2, ISO 27001, HITRUST, and PCI DSS through a coordinated engagement that eliminates the redundant evidence collection and schedule coordination that multi-framework compliance otherwise demands. For companies that need only one framework today but can see additional requirements on the horizon, that continuity compounds in value over time.

The firm is built for mid-market and growth-stage cloud companies that take security seriously, have regulated customers who demand audit credibility, and don’t want to shop for a new auditor every time they add a framework. The Big 4 alumni team, the two-practice independence model, and the “no surprises” readiness philosophy are what make the premium positioning defensible.