Schellman

About Schellman & Company, LLC

Schellman & Company represents the gold standard for government and defense compliance, combining Top 50 CPA firm credibility with unmatched FedRAMP and CMMC expertise. Founded in 2002 by Chris Schellman as a two-person SAS 70 audit shop, the firm now issues 2,000+ SOC reports annually, serves 900+ clients worldwide, and is ranked #46 on Accounting Today’s 2026 Top 100 Firms with $197 million in revenue, ~500 employees, and 28 partners.

Schellman is the #1 FedRAMP 3PAO globally, and in April 2026 became the first 3PAO to assess 200 cloud service offerings on the FedRAMP Marketplace — work that has helped clients secure 870+ ATOs across 71 federal agencies.

Now led by CEO Avani Desai (since 2021) with Doug Barbin as President, Schellman recently announced (March 2026) a strategic investment from Private Equity at Goldman Sachs Alternatives. Lightyear Capital, which acquired majority ownership in 2021, will remain a minority investor following the close of the deal (expected Q2 2026). The transaction is earmarked for international expansion (UK and Europe), healthcare and financial services growth, and large-scale M&A.

In March 2025, Schellman received a Facility Security Clearance (FCL), enabling it to perform classified DoD assessments including IL6, classified SOC 2 examinations, and penetration testing on cleared systems — a rare capability among compliance assessors.

Schellman serves defense contractors, federal agencies, healthcare organizations, financial services companies, and technology firms seeking Top 50 CPA brand prestige with deep technical expertise across SOC, ISO, FedRAMP, HITRUST, PCI, and CMMC frameworks. The firm offers 60+ types of audits and assessments and reports a 98% client retention rate.

Government & Defense Dominance (PRIMARY DIFFERENTIATOR)

Schellman’s government and defense capabilities are genuinely unmatched among compliance auditors:

FedRAMP Leadership:

• #1 FedRAMP 3PAO globally since accreditation in July 2012 — leading market share for federal cloud security authorizations
• First 3PAO to reach 200 FedRAMP assessed offerings on the FedRAMP Marketplace (April 2026 milestone)
• Clients have secured 870+ Authorities to Operate (ATOs) across 71 federal agencies
• FedRAMP Low, Moderate, High authorizations across the program
• DoD Impact Levels IL4, IL5, IL6 assessments for sensitive and classified systems
• Facility Security Clearance (FCL) — received March 31, 2025; enables classified DoD assessments
• Type A 3PAO — assessment-only (no consulting), maintaining strict independence

Obtaining a Facility Security Clearance requires extensive background checks, facility security measures, and deep DoD trust. Schellman’s FCL gives it a rare capability for classified DoD IL6 work, classified SOC 2 examinations, and penetration testing on cleared systems — creating a defensive moat competitors cannot easily replicate.

CMMC Excellence:

• Original C3PAO - among first authorized under CMMC 1.0
• Reauthorized C3PAO - under finalized CMMC 2.0 program
• First JVSA Assessment - performed first Joint Voluntary Surveillance Assessment
• Level 1, 2, 3 assessments for defense contractors

StateRAMP:

State-level FedRAMP equivalent for state/local government cloud services

Client Validation:

“Schellman has been a strategic 3PAO partner for Palantir consistently delivering exceptional assessment services. We are excited to see them expand their capabilities into cleared environments.” — Kevin Carr, Palantir Technologies US Government Cloud Compliance Lead

Palantir as a client - one of the most security-sensitive defense technology companies - validates Schellman’s high-assurance capabilities and government expertise.

”The Power of One” - Cross-Compliance Expertise

Schellman’s positioning centers on “The Power of One” - comprehensive cross-compliance capability combining SOC, ISO, FedRAMP, HITRUST, PCI, and CMMC under a single roof. This appeals to organizations tired of coordinating multiple auditors with duplicate work.

Core Compliance Services:

SOC Audits:

• SOC 1, 2, 3
• SOC for Cybersecurity
• 2,000+ SOC reports annually (largest volume globally alongside A-LIGN)
• Clients ranging from startups to Fortune 500

ISO Certifications (ANAB Accredited Certification Body):

• ISO 27001 (Information Security)
• ISO 27701 (Privacy)
• ISO 42001 (AI Management Systems) — world’s FIRST ANAB-accredited certification body
• ISO 9001 (Quality Management)
• ISO 22301 (Business Continuity)
• ISO 14001 (Environmental Management)
• ISO 27017/27018 (Cloud Security/Privacy)

Healthcare & Privacy:

• HITRUST CSF Assessor
• HIPAA assessments

Payment Security:

• PCI DSS QSA (Qualified Security Assessor)
• PCI PIN, PCI P2PE, PCI 3DS

International & Specialized:

• TISAX (Trusted Information Security Assessment - automotive industry, European)
• HDS (Hébergeur de Données de Santé - French health data hosting)
• APEC Cross-Border Privacy Rules (Accountability Agent)
• Penetration Testing (including classified systems)

Emerging Services:

AI Governance:

• ISO 42001 assessments
• EU AI Act compliance advisory
• Microsoft SSPA Section K (AI) assessments

Sustainability/ESG:

• Sustainability reporting services (via 2023 acquisition)
• Corporate governance and transparent reporting

Web3/Blockchain:

• Cryptography-based communication attestations
• Blockchain storage verification
• Verifiable digital credentials

Leadership & Organizational Evolution

Avani Desai — Chief Executive Officer

Background:

• 14+ years at Schellman; elevated to CEO in 2021
• Featured in Forbes, CIO.com, Wall Street Journal
• 2026 Henry Crown Fellow, Aspen Institute
• Named 2017 Global Leader in Consulting by Consulting Magazine
• Has spoken at the World Economic Forum in Davos

Focus Areas:

• Emerging healthcare issues and privacy concerns
• Future technology trends and AI governance
• Women in technology advocacy

Philanthropy & Boards:

• Board member: Arnold Palmer Medical Center, Philanos, Central Florida Foundation (Audit Committee Chair)
• Co-chair: 100 Women Strong (female venture capitalist giving circle)

Doug Barbin — President

Leads firm operations and acquisition strategy alongside Desai; public spokesperson on M&A activity including the INSYTE acquisition.

Corporate Structure & Ownership:

2021 — Lightyear Capital Recapitalization:

• Lightyear Capital (NYC-based PE firm, $8.1B AUM) acquired majority ownership in September 2021
• Founder Chris Schellman exited 6 years early (2021 vs. 2027 planned retirement)
• Avani Desai elevated from President to CEO
• Senior leadership team retained for continuity
• Transaction also separated attest services (Schellman & Company, LLC) from non-attest services (Schellman Compliance, LLC)

2026 — Goldman Sachs Alternatives Strategic Investment:

• Announced March 5, 2026; expected to close Q2 2026
• Private Equity at Goldman Sachs Alternatives takes majority position
• Lightyear Capital steps back to minority investor
• Capital earmarked for: UK and European expansion, healthcare/financial-services service-line growth, large-scale M&A
• Leadership team remains in place; client service delivery uninterrupted

Recent Strategic Acquisitions:

INSYTE CPAs, LLC (August 2024)

• Headquartered in Birmingham, Alabama
• Led by founder and Managing Partner Cindy Wyatt
• Specialty: Risk management, internal controls, business processes; clients in healthcare, banking, insurance, government contracting, technology, professional services
• Strategic Rationale: Expand core SOC services and geographic reach

Sustas, LLC Sustainability Practice (November 2024)

• Acquired the sustainability reporting practice of Sustas, LLC
• Paired with Schellman’s newly obtained ISO 14001 accreditation from ANAB
• Strengthens environmental/ESG attestation capability ahead of evolving climate disclosure rules

Scott S. Perry, CPA PLLC (January 2022)

• Bellevue-based firm specializing in certificate authority audits, crypto/Web3 digital trust
• Scott Perry joined Schellman’s leadership team
• Built foundation for current Web3/blockchain attestation services

Comprehensive Accreditation Portfolio

Schellman’s accreditation depth is impressive even among Top 50 CPA firms:

Government:

• FedRAMP 3PAO (#1 globally, accredited July 27, 2012; first 3PAO to reach 200 assessments)
• Facility Security Clearance (FCL) — DoD classified systems (March 2025)
• CMMC C3PAO (Authorized under CMMC 2.0; performed first JVSA assessment)
• StateRAMP 3PAO

Audit & Compliance:

• AICPA (SOC reports)
• CPA Firm (Top 50 — ranked #46 on Accounting Today’s 2026 Top 100 Firms)
• PCAOB Registered (public company audits)
• ANAB Accredited Certification Body (ISO 27001/27701/42001/9001/22301/14001)
• A2LA accreditation under ISO/IEC 17020:2012

Industry-Specific:

• HITRUST CSF Assessor
• PCI QSA (Qualified Security Assessor) — globally licensed; also PCI PIN, P2PE, 3DS
• TISAX Assessor (automotive industry, European)
• HDS Assessor (French health data)
• APEC Accountability Agent (Cross-Border Privacy Rules)

This breadth signals serious investment in quality and capability across diverse compliance frameworks.

Target Market & Ideal Clients

Primary Focus:

1. Government Contractors (DOMINANT NICHE)

• Defense contractors needing CMMC
• Federal agencies requiring FedRAMP
• State/local government (StateRAMP)
• Classified systems operators (DoD IL6) - unique capability

2. Healthcare Organizations

• HITRUST + HIPAA compliance
• Health data hosting (HDS for EU)
• Privacy-sensitive operations (ISO 27701)

3. Financial Services

• PCI DSS for payment processors
• SOC 2 for FinTech
• Cross-compliance (SOC + ISO + PCI)

4. Automotive & Manufacturing

• TISAX assessments for supply chains
• ISO 9001 quality management

5. Technology Companies

• Cloud service providers (FedRAMP, ISO 27017/27018)
• AI/ML companies (ISO 42001)
• SaaS startups through Fortune 500

Geographic Reach:

Offices: Tampa, FL (HQ at 4010 W Boy Scout Blvd, Suite 600), Atlanta, San Francisco, Columbus (OH), and Hyderabad (India). 2024 INSYTE acquisition added a Birmingham (Alabama) footprint. TISAX/HDS accreditations support European delivery, and the 2026 Goldman Sachs Alternatives investment is specifically earmarked for UK and European expansion.

Who Should Choose Schellman

Best Fit For:

• Defense contractors needing CMMC + FedRAMP combination
• Federal agencies requiring top-tier FedRAMP 3PAO
• Classified systems operators - unique FCL capability creates monopoly-like position
• Healthcare organizations needing HITRUST + HIPAA + SOC 2 bundle
• Multi-framework compliance seekers wanting “The Power of One” (single auditor for all needs)
• Companies wanting Top 50 CPA brand for investor/customer confidence
• International operations requiring TISAX, HDS, or European standards
• AI/ML companies needing ISO 42001 alongside SOC 2

Not Ideal For:

• Price-sensitive startups - Schellman likely premium-priced as Top 50 CPA firm
• Companies wanting boutique personalization - 700+ clients = scale vs. white-glove trade-off
• Simple SOC 2-only needs - Schellman’s cross-compliance expertise may be overkill for basic requirements
• Organizations prioritizing technology platforms - No proprietary audit platform disclosed (unlike A-LIGN’s A-SCEND)

Client Experience & Satisfaction

While Schellman has fewer public testimonials than some competitors (likely due to enterprise/government focus where clients review less publicly), available feedback emphasizes consistent themes:

Quality & Expertise:

“Depth of expertise in information technology control and breadth of compliance services… dedication to high quality and service excellence” — Cindy Wyatt, INSYTE CPAs

Long-Term Partnerships:

“Strategic 3PAO partner… consistently delivering exceptional assessment services” — Kevin Carr, Palantir

Professional Service Delivery:

• “Exceptional assessment services”
• “Depth of expertise” and “breadth of compliance services”
• Long-term strategic partnerships (Palantir as repeat client)

Reputation Indicators:

1. Market Leadership: #1 FedRAMP 3PAO globally — objectively verifiable on the FedRAMP Marketplace (201 total assessments as of April 2026; first to reach the 200 milestone).

2. 98% Client Retention: Per Schellman’s AWS Marketplace listing — unusually high for a Top 50 CPA firm in a competitive RFP-driven market.

3. Government Trust: Facility Security Clearance is extraordinarily difficult to obtain. DoD doesn’t grant FCL casually — it requires extensive background checks, facility security, and deep institutional trust.

4. First-Mover Advantage: Performed first CMMC JVSA assessment — selected for pilot program indicates DoD confidence. World’s first ANAB-accredited ISO 42001 certification body positions Schellman first on AI governance.

5. Client Quality: Palantir Technologies, one of the most security-conscious defense tech companies, maintains long-term strategic partnership. Clients have secured 870+ ATOs across 71 federal agencies.

Pricing & Timeline

Pricing (Not Publicly Disclosed):

Schellman does not publish pricing. Industry estimates for Top 50 CPA firms suggest:

SOC 2 Type II Estimated Ranges:

• Startup/SMB: $20,000 - $50,000
• Mid-Market: $50,000 - $100,000
• Enterprise: $100,000 - $250,000+

FedRAMP (Known High Cost):

• FedRAMP Moderate: $150,000 - $500,000+
• FedRAMP High: $300,000 - $1,000,000+

CMMC:

• Level 1: $15,000 - $30,000
• Level 2: $40,000 - $100,000
• Level 3: $100,000 - $250,000+

GRC Partnership Estimate: “Secureframe + BDO, MHM, Schellman: ~$20K-$50K” suggests mid-to-upper specialist range for SOC 2, likely justified by Top 50 CPA firm brand and cross-compliance expertise.

Schellman’s 2026 reported revenue is $197 million (per Accounting Today’s 2026 Top 100) — implying an average client engagement of roughly $200K when divided across the 900+ client base, consistent with mid-market to enterprise positioning.

Timeline:

• Report Delivery: 4-6 weeks post-fieldwork (industry standard for Top 50 firms)
• Total Timeline: 3-12 months depending on framework, observation period, and complexity

Competitive Positioning

Unique Differentiators:

1. Unmatched Government/Defense Capability

• #1 FedRAMP 3PAO globally — first to assess 200 cloud service offerings
• Facility Security Clearance (FCL) for classified DoD assessments — a rare credential among audit firms
• Original CMMC C3PAO, reauthorized under CMMC 2.0; performed the first JVSA assessment
• 870+ ATOs delivered across 71 federal agencies

For classified DoD work, defense contractors and federal agencies requiring FCL-enabled assessments have very few alternatives.

2. Cross-Compliance Mastery “The Power of One” isn’t just marketing — 2,000+ SOC reports annually + ANAB-accredited ISO certification body (including world’s first for ISO 42001) + FedRAMP #1 + HITRUST + PCI + APEC Accountability Agent demonstrates genuine breadth executed at scale across 60+ assessment service types.

3. Top 50 CPA Firm Prestige Ranked #46 on Accounting Today’s 2026 Top 100 with $197M in revenue and ~500 employees. More credible than specialist boutiques, less expensive than Big 4, with PCAOB registration for public company work.

4. International Reach TISAX (European automotive) + HDS (French healthcare) + APEC Cross-Border Privacy Rules + Hyderabad delivery center + planned UK/European expansion (Goldman Sachs Alternatives investment) differentiates from U.S.-only competitors.

5. 20+ Year Track Record Founded 2002 = proven staying power with 2,000+ SOC reports annually demonstrating consistent delivery at scale.

6. AI Governance First-Mover World’s first ANAB-accredited ISO 42001 certification body + Microsoft SSPA expertise positions Schellman ahead of competitors for AI/ML compliance needs.

7. 98% Client Retention Self-reported retention rate indicates strong long-term relationships and consistent service quality at scale.

Potential Limitations:

1. Premium Pricing Top 50 CPA firm = higher costs than boutiques. May lose price-sensitive startups to A-LIGN, Prescient, KirkpatrickPrice.

2. No Proprietary Technology Platform Unlike A-LIGN’s A-SCEND or Prescient’s platform integrations, Schellman appears to use traditional audit processes. This may mean slower evidence collection and less real-time visibility.

3. Scale vs. Personalization Trade-off 900+ clients, 2,000+ reports annually, ~500 employees = potential to feel like a number rather than receiving boutique white-glove service.

4. Private Equity Ownership — Now Two Sponsors Lightyear Capital recapitalized in 2021; Goldman Sachs Alternatives takes majority position in Q2 2026 (with Lightyear staying on as minority). Two PE sponsors increase the likelihood of continued aggressive M&A and an eventual exit / IPO over the next 5-7 years.

Strategic Initiatives & Growth Trajectory

2021-2026 Focus (Under Avani Desai + Lightyear, now joined by Goldman Sachs Alternatives):

1. Government Market Expansion:

• Facility Security Clearance (March 2025) — classified DoD assessments
• CMMC 2.0 reauthorization — defense contractor market
• StateRAMP growth — state/local government cloud
• 200 FedRAMP assessed offerings milestone (April 2026)

2. Acquisitions:

• Scott S. Perry, CPA PLLC (January 2022) — Web3/digital trust practice
• INSYTE CPAs (August 2024) — geographic expansion and SOC capability
• Sustas, LLC sustainability practice (November 2024) — ESG services diversification

3. Emerging Compliance:

• ISO 42001 AI governance (world’s first ANAB-accredited certification body)
• EU AI Act advisory
• Microsoft SSPA Section K (AI) assessments
• Web3/blockchain attestations
• Sustainability/ESG reporting (paired with ISO 14001)

4. International Expansion:

• TISAX (European automotive)
• HDS (French healthcare)
• APEC Accountability Agent (cross-border privacy)
• UK and European expansion explicitly named as a use of the 2026 Goldman Sachs Alternatives capital

Bottom Line

Schellman represents Top 50 CPA firm quality with government/defense specialization. Their #1 FedRAMP 3PAO position (first to reach 200 cloud service assessments) combined with their Facility Security Clearance creates a defensive competitive moat for classified government work that competitors cannot easily replicate.

“The Power of One” cross-compliance positioning is backed by genuine capability: 2,000+ SOC reports annually, ANAB-accredited ISO certification body (world’s first for ISO 42001), leading FedRAMP practice (870+ ATOs delivered), HITRUST assessor, PCI QSA, APEC Accountability Agent, and international reach (TISAX, HDS). This breadth — 60+ assessment service types executed at scale — differentiates Schellman from both boutique specialists (limited scope) and Big 4 (higher cost).

For defense contractors needing CMMC + FedRAMP, federal agencies requiring FedRAMP, or classified systems operators, Schellman’s unique FCL capability makes them the only viable choice for certain assessments. Healthcare organizations needing HITRUST + HIPAA + SOC 2 bundles also benefit from their cross-compliance expertise.

The Top 50 CPA firm brand provides credibility for investor/customer confidence without Big 4 pricing, while 20+ years of compliance focus demonstrates staying power and institutional knowledge.

However, Schellman is optimized for enterprise and government clients, not price-sensitive startups or organizations wanting boutique personalization. The lack of proprietary technology platform (like A-LIGN’s A-SCEND) may mean traditional audit processes rather than tech-enabled efficiency. Private equity ownership introduces potential exit timeline pressures.

If you’re a defense contractor, federal agency, healthcare organization, or enterprise requiring multiple compliance frameworks with Top 50 brand prestige, Schellman’s combination of government expertise, cross-compliance capability, and institutional maturity makes them a top-tier choice - particularly if classified assessment capability matters for current or future needs.