Barnes Dennig

About Barnes Dennig

Barnes Dennig is an independent, employee-owned U.S.-based CPA and advisory firm founded in 1965 by Bob Barnes and Al Dennig, headquartered in Cincinnati, Ohio. Being employee-owned means no outside investor or parent firm sits behind the audit opinion, which the firm points to as part of the objective, stakeholder-focused stance it brings to every engagement. Effective January 1, 2025, the firm merged with Indianapolis-based Greenwalt CPAs (founded 1945), creating one combined firm operating under the Barnes Dennig name. The combined firm now has roughly 225 employees across five offices in three states — Cincinnati and Dayton (Ohio), Crestview Hills (Kentucky), and two locations in Indianapolis (Indiana).

The firm celebrated its 60th anniversary in 2025 and is recognized as a Top 200 Inside Public Accounting “Best of the Best” firm. Jay Rammes has served as Managing Director since 2018 and continues to lead the combined firm post-merger.

For SOC-specific work, approximately 20 people focus exclusively on SOC reports — readiness, fieldwork, audit, and report issuance handled entirely in-house, with no portion of the engagement outsourced. The SOC team is distributed across six time zones, allowing them to serve clients ranging from two-person startups to large multinationals. Their public materials confirm SOC clients in the United States as well as New Zealand, Europe, and the Philippines.

The firm is in good standing with the AICPA Peer Review Program, the independent CPA-firm-on-CPA-firm review of compliance with professional standards. Buyers running third-party risk reviews or vendor due diligence can use peer review status as part of the trust signal.

SOC Practice Leadership

Robert J. Ramsay (CPA, CISA, CITP) leads the Risk Management and SOC Reporting practice. Robert is:

• An AICPA-designated SOC specialist — a credential that allows him to serve as a quality control inspector for other firms’ SOC reports nationally
• An instructor for the AICPA’s SOC School, training other firms on planning, executing, and reporting on SOC engagements
• A Certified Common Security Framework (CSF) Practitioner through the HITRUST Academy
• The author of the first HMIS attestation guide
• 22+ years of experience in technology audits and SOC reporting; 15+ years of helping organizations strengthen internal controls
• Former president of the Cincinnati ISACA chapter; frequent presenter for AICPA and ISACA

That AICPA SOC School and quality-control-inspector credential is unusual — most firms send their staff to SOC School. Barnes Dennig sends an instructor.

Other named members of the SOC team include:

• Bryan Gayhart (CPA, CISA, HITRUST CCSFP) — Director, SOC Reporting
• Morgan Ryle (CPA) — Director, SOC Reporting
• Cheryl Ganim — SOC Reporting team
• Myles Wallace — SOC Reporting (author of public SOC 2 Plus guidance)

Engagement Philosophy

Barnes Dennig positions itself away from transactional, checkbox-style audits. The emphasis is on quality of work and long-term client relationships — clients who stay with them across multiple report cycles, framework expansions, and growth stages, rather than one-off engagements driven purely by procurement.

This shows up operationally in two specific ways the partner team called out:

1. No outsourcing. The full scope of every SOC engagement — readiness through report issuance — is handled by Barnes Dennig employees. No subcontractors, no white-labeled deliverables.
2. Same-team continuity. Public client testimonials repeatedly name the same auditors (Ramsay, Gayhart, Ryle, Ganim) over multi-year engagements — a signal that staffing is stable rather than rotating juniors through accounts.

Multi-Framework Coverage and SOC 2 Plus

SOC 2 is the core of the practice, but the same team handles a broad set of adjacent frameworks — including SOC 2+ reports that bundle multiple framework attestations into a single AICPA-backed deliverable.

SOC reports

• SOC 1 Type I and Type II (financial reporting controls / SSAE 18)
• SOC 2 Type I and Type II (Security, Availability, Confidentiality, Processing Integrity, Privacy)
• SOC 3 (public-facing summary report)

SOC 2+ extended frameworks

A single SOC 2+ report can include any of the following alongside the AICPA Trust Services Criteria:

• ISO/IEC 27001 (Information Security Management)
• ISO 42001 (AI management systems)
• HITRUST CSF (mapped to HIPAA)
• NIST 800-53 and NIST CSF
• HIPAA
• GDPR
• PCI DSS
• CSA Cloud Controls Matrix
• ISACA Blockchain Framework
• Germany’s C5 (Cloud Computing Compliance Controls Catalog)
• ISAE 3000 / ISAE 3402 (international assurance standards for non-US customer requirements)

AI compliance: SOC 2 + ISO 42001

Barnes Dennig has built a productized SOC 2 + ISO 42001 offering for organizations whose products or services touch AI. ISO 42001 is the world’s first international standard for managing AI — covering ethics, transparency, accountability, and risk management across the AI lifecycle. Most CPA-side SOC firms have not yet built this capability; Barnes Dennig has it as a named service line on their website.

For multi-framework buyers, the practical value of the SOC 2+ approach is consolidating multiple attestations into one audit, one fieldwork window, and one report — rather than running parallel SOC 2 and ISO 27001 engagements with two separate firms.

Industries Served

Industries the SOC practice specifically focuses on:

• Healthcare (including HITRUST and HIPAA)
• FinTech and financial services
• Banking
• Revenue management and collections (TPAs)
• Workers’ compensation and self-insured entities
• Cloud-based software vendors / SaaS
• Data centers
• AI / emerging technology (via ISO 42001)

The Barnes Dennig website lists roughly 12–15 industries — all reflecting actual client work the SOC team has delivered, not aspirational verticals.

Pricing

SOC engagements typically fall in the $15,000 to $40,000 range, quoted as a fixed fee rather than billed hourly, so the number is known before fieldwork begins. Final pricing is influenced by:

• Risk profile of the entity being audited
• Complexity of the control environment
• Size of the environment in scope
• Adherence to timeline — clients who keep evidence flowing on schedule reduce overall cost

This positions Barnes Dennig in the standard regional-CPA range for SOC 2 — below Big Four and Top 25 firm pricing, but with the structural quality benefits of a peer-reviewed CPA firm with an AICPA SOC School instructor leading the practice.

Speed and Availability

A specific operational differentiator: Barnes Dennig is able to start engagements immediately, where many comparable CPA and SOC firms quote multi-month waitlists before fieldwork begins. For companies with an external deadline driven by enterprise sales, vendor reviews, funding, or a customer contract clause, this responsiveness can be the deciding factor between firms that otherwise look similar on paper.

Quality and Trust Signals

• AICPA Peer Review Program — good standing. Standard CPA-on-CPA quality review.
• AICPA SOC School instructor (Robert Ramsay). Trains other firms; serves as quality control inspector for other firms’ SOC reports.
• Top 200 Inside Public Accounting firm; recognized as “Best of the Best.”
• 60+ year operating history (founded 1965; 60th anniversary in 2025).
• HITRUST Academy participation — including the CSF Practitioner credential.
• AICPA and ISACA active membership and presenting.

Who Barnes Dennig Fits Best

• Companies pursuing SOC 2 alongside one or more additional frameworks — ISO 27001, ISO 42001, HITRUST, NIST, HIPAA, PCI — who want a single audit team consolidating the work into a SOC 2+ report rather than running parallel engagements.
• AI-touching products that need both standard security attestation (SOC 2) and credible AI governance attestation (ISO 42001) — a combination most regional CPA firms cannot yet offer.
• Healthcare, FinTech, financial services, TPA / collections, and self-insured / workers’ comp organizations where the SOC team has direct vertical experience.
• Companies on a tight external deadline that need an auditor who can start immediately rather than after a multi-month queue.
• Buyers who want a long-term audit relationship — same partners, same team, multi-year continuity — rather than a transactional, one-off checkbox engagement.
• International companies needing US SOC reports plus ISAE 3000 / 3402 or C5 to satisfy non-US customer requirements.

Where Barnes Dennig Is Less of a Fit

• Defense / classified work requiring FedRAMP 3PAO authorization or CMMC C3PAO assessment status — not part of the current service mix.
• Pure boutique pricing at the lowest end of the market — Barnes Dennig is competitive within the regional-CPA tier, but a single-framework SOC 2 engagement at a tech-only specialist may price lower.
• Big Four brand requirement — if a board, investor, or enterprise customer specifically mandates a Big Four audit firm, Barnes Dennig is a regional CPA firm rather than a Big Four.