Schellman

About Schellman & Company, LLC

Schellman & Company represents the gold standard for government and defense compliance, combining Top 50 CPA firm credibility with unmatched FedRAMP and CMMC expertise. Founded in 2002 by Chris Schellman as a two-person SAS 70 audit shop, the firm has grown to become the #1 FedRAMP 3PAO globally with 1,000+ SOC reports issued annually and 700+ clients worldwide.

Now led by CEO Avani Desai (since 2021), Schellman operates under private equity ownership (Lightyear Capital) while maintaining its founding commitment to cross-compliance expertise. The firm’s recent achievement of Facility Security Clearance (FCL) makes it the only audit firm authorized to conduct classified DoD assessments - a capability that creates an almost insurmountable competitive moat.

Schellman serves defense contractors, federal agencies, healthcare organizations, financial services companies, and technology firms seeking Top 50 CPA brand prestige with deep technical expertise across SOC, ISO, FedRAMP, HITRUST, PCI, and CMMC frameworks.

Government & Defense Dominance (PRIMARY DIFFERENTIATOR)

Schellman’s government and defense capabilities are genuinely unmatched among compliance auditors:

FedRAMP Leadership:

• #1 FedRAMP 3PAO globally - leading market share for federal cloud security authorizations
• FedRAMP Moderate (most common authorization level)
• FedRAMP High (sensitive data, law enforcement, emergency services)
• DoD Impact Level 6 (IL6) assessments for classified systems
• Facility Security Clearance (FCL) - enables classified DoD assessments

This FCL achievement is extraordinary. Obtaining facility security clearance requires extensive background checks, facility security measures, and deep DoD trust. Schellman is the only audit firm with this capability - creating a defensive moat competitors cannot easily replicate.

CMMC Excellence:

• Original C3PAO - among first authorized under CMMC 1.0
• Reauthorized C3PAO - under finalized CMMC 2.0 program
• First JVSA Assessment - performed first Joint Voluntary Surveillance Assessment
• Level 1, 2, 3 assessments for defense contractors

StateRAMP:

State-level FedRAMP equivalent for state/local government cloud services

Client Validation:

“Schellman has been a strategic 3PAO partner for Palantir consistently delivering exceptional assessment services. We are excited to see them expand their capabilities into cleared environments.” — Kevin Carr, Palantir Technologies US Government Cloud Compliance Lead

Palantir as a client - one of the most security-sensitive defense technology companies - validates Schellman’s high-assurance capabilities and government expertise.

”The Power of One” - Cross-Compliance Expertise

Schellman’s positioning centers on “The Power of One” - comprehensive cross-compliance capability combining SOC, ISO, FedRAMP, HITRUST, PCI, and CMMC under a single roof. This appeals to organizations tired of coordinating multiple auditors with duplicate work.

Core Compliance Services:

SOC Audits:

• SOC 1, 2, 3
• SOC for Cybersecurity
• 1,000+ SOC reports annually (largest volume globally alongside A-LIGN)
• Clients ranging from startups to Fortune 500

ISO Certifications (ANAB Accredited Certification Body):

• ISO 27001 (Information Security)
• ISO 27701 (Privacy)
• ISO 42001 (AI Management Systems)
• ISO 9001 (Quality Management)
• ISO 22301 (Business Continuity)
• ISO 27017/27018 (Cloud Security/Privacy)

Healthcare & Privacy:

• HITRUST CSF Assessor
• HIPAA assessments

Payment Security:

• PCI DSS QSA (Qualified Security Assessor)
• PCI PIN, PCI P2PE, PCI 3DS

International & Specialized:

• TISAX (Trusted Information Security Assessment - automotive industry, European)
• HDS (Hébergeur de Données de Santé - French health data hosting)
• Penetration Testing (including classified systems)

Emerging Services:

AI Governance:

• ISO 42001 assessments
• EU AI Act compliance advisory
• Microsoft SSPA Section K (AI) assessments

Sustainability/ESG:

• Sustainability reporting services (via 2023 acquisition)
• Corporate governance and transparent reporting

Web3/Blockchain:

• Cryptography-based communication attestations
• Blockchain storage verification
• Verifiable digital credentials

Leadership & Organizational Evolution

Avani Desai - Chief Executive Officer

Background:

• 15+ years in IT attestation, risk management, compliance, and privacy
• Featured in Forbes, CIO.com, Wall Street Journal
• Named 2017 Global Leader in Consulting by Consulting Magazine

Focus Areas:

• Emerging healthcare issues and privacy concerns
• Future technology trends and AI governance
• Women in technology advocacy

Philanthropy & Boards:

• Board member: Arnold Palmer Medical Center, Philanos, Central Florida Foundation (Audit Committee Chair)
• Co-chair: 100 Women Strong (female venture capitalist giving circle)

Corporate Structure & PE Ownership:

2021 Lightyear Capital Transaction:

• Private equity firm Lightyear Capital (NYC-based, financial services-focused) acquired majority ownership
• Chris Schellman (founder) exited 6 years early (2021 vs. 2027 planned retirement)
• Avani Desai elevated from President to CEO
• Senior leadership team retained for continuity

Recent Strategic Acquisitions:

INSYTE CPAs, LLC (August 2024)

• Headquartered in Birmingham, Alabama
• Led by founder Cindy Wyatt
• Specialty: Risk management, internal controls, business processes
• Strategic Rationale: Expand core SOC services and geographic reach

Sustainability Reporting (2023)

• Expanding into ESG/sustainability attestation services
• Demonstrates evolution beyond traditional compliance

Comprehensive Accreditation Portfolio

Schellman’s accreditation depth is impressive even among Top 50 CPA firms:

Government:

• FedRAMP 3PAO (#1 globally)
• Facility Security Clearance (FCL) - DoD classified systems
• CMMC C3PAO (Authorized under CMMC 2.0)
• StateRAMP 3PAO

Audit & Compliance:

• AICPA (SOC reports)
• CPA Firm (Top 50 ranking)
• PCAOB Registered (public company audits)
• ANAB Accredited Certification Body (ISO 27001/27701/42001/9001/22301)

Industry-Specific:

• HITRUST CSF Assessor
• PCI QSA (Qualified Security Assessor)
• TISAX Assessor (automotive industry, European)
• HDS Assessor (French health data)

This breadth signals serious investment in quality and capability across diverse compliance frameworks.

Target Market & Ideal Clients

Primary Focus:

1. Government Contractors (DOMINANT NICHE)

• Defense contractors needing CMMC
• Federal agencies requiring FedRAMP
• State/local government (StateRAMP)
• Classified systems operators (DoD IL6) - unique capability

2. Healthcare Organizations

• HITRUST + HIPAA compliance
• Health data hosting (HDS for EU)
• Privacy-sensitive operations (ISO 27701)

3. Financial Services

• PCI DSS for payment processors
• SOC 2 for FinTech
• Cross-compliance (SOC + ISO + PCI)

4. Automotive & Manufacturing

• TISAX assessments for supply chains
• ISO 9001 quality management

5. Technology Companies

• Cloud service providers (FedRAMP, ISO 27017/27018)
• AI/ML companies (ISO 42001)
• SaaS startups through Fortune 500

Geographic Reach:

Global Operations: Offices worldwide with TISAX/HDS capabilities suggesting strong European presence. Recent acquisitions (INSYTE in Alabama) demonstrate geographic expansion strategy.

Who Should Choose Schellman

Best Fit For:

• Defense contractors needing CMMC + FedRAMP combination
• Federal agencies requiring top-tier FedRAMP 3PAO
• Classified systems operators - unique FCL capability creates monopoly-like position
• Healthcare organizations needing HITRUST + HIPAA + SOC 2 bundle
• Multi-framework compliance seekers wanting “The Power of One” (single auditor for all needs)
• Companies wanting Top 50 CPA brand for investor/customer confidence
• International operations requiring TISAX, HDS, or European standards
• AI/ML companies needing ISO 42001 alongside SOC 2

Not Ideal For:

• Price-sensitive startups - Schellman likely premium-priced as Top 50 CPA firm
• Companies wanting boutique personalization - 700+ clients = scale vs. white-glove trade-off
• Simple SOC 2-only needs - Schellman’s cross-compliance expertise may be overkill for basic requirements
• Organizations prioritizing technology platforms - No proprietary audit platform disclosed (unlike A-LIGN’s A-SCEND)

Client Experience & Satisfaction

While Schellman has fewer public testimonials than some competitors (likely due to enterprise/government focus where clients review less publicly), available feedback emphasizes consistent themes:

Quality & Expertise:

“Depth of expertise in information technology control and breadth of compliance services… dedication to high quality and service excellence” — Cindy Wyatt, INSYTE CPAs

Long-Term Partnerships:

“Strategic 3PAO partner… consistently delivering exceptional assessment services” — Kevin Carr, Palantir

Professional Service Delivery:

• “Exceptional assessment services”
• “Depth of expertise” and “breadth of compliance services”
• Long-term strategic partnerships (Palantir as repeat client)

Reputation Indicators:

1. Market Leadership: #1 FedRAMP 3PAO globally - objectively verifiable market position

2. Government Trust: Facility Security Clearance is extraordinarily difficult to obtain. DoD doesn’t grant FCL casually - it requires extensive background checks, facility security, and deep institutional trust.

3. First-Mover Advantage: Performed first CMMC JVSA assessment - selected for pilot program indicates DoD confidence

4. Client Quality: Palantir Technologies, one of the most security-conscious defense tech companies, maintains long-term strategic partnership

Pricing & Timeline

Pricing (Not Publicly Disclosed):

Schellman does not publish pricing. Industry estimates for Top 50 CPA firms suggest:

SOC 2 Type II Estimated Ranges:

• Startup/SMB: $20,000 - $50,000
• Mid-Market: $50,000 - $100,000
• Enterprise: $100,000 - $250,000+

FedRAMP (Known High Cost):

• FedRAMP Moderate: $150,000 - $500,000+
• FedRAMP High: $300,000 - $1,000,000+

CMMC:

• Level 1: $15,000 - $30,000
• Level 2: $40,000 - $100,000
• Level 3: $100,000 - $250,000+

GRC Partnership Estimate: “Secureframe + BDO, MHM, Schellman: ~$20K-$50K” suggests mid-to-upper specialist range for SOC 2, likely justified by Top 50 CPA firm brand and cross-compliance expertise.

Timeline:

• Report Delivery: 4-6 weeks post-fieldwork (industry standard for Top 50 firms)
• Total Timeline: 3-12 months depending on framework, observation period, and complexity

Competitive Positioning

Unique Differentiators:

1. Unmatched Government/Defense Capability

• #1 FedRAMP 3PAO globally
• Only audit firm with Facility Security Clearance for classified DoD assessments
• Original CMMC C3PAO with 20+ years government compliance focus

This creates a near-monopoly for classified system audits. Defense contractors and federal agencies requiring FCL-enabled assessments have limited alternatives.

2. Cross-Compliance Mastery “The Power of One” isn’t just marketing - 1,000+ SOC reports annually + ISO certification body status + FedRAMP #1 position + HITRUST + PCI demonstrates genuine breadth executed at scale.

3. Top 50 CPA Firm Prestige More credible than specialist boutiques, less expensive than Big 4, with PCAOB registration for public company work.

4. International Reach TISAX (European automotive) + HDS (French healthcare) + global delivery capability differentiates from U.S.-only competitors.

5. 20+ Year Track Record Founded 2002 = proven staying power with 1,000+ SOC reports annually demonstrating consistent delivery at scale.

6. AI Governance Positioning Early ISO 42001 adoption + Microsoft SSPA expertise positions Schellman ahead of competitors for AI/ML compliance needs.

Potential Limitations:

1. Premium Pricing Top 50 CPA firm = higher costs than boutiques. May lose price-sensitive startups to A-LIGN, Prescient, KirkpatrickPrice.

2. No Proprietary Technology Platform Unlike A-LIGN’s A-SCEND or Prescient’s platform integrations, Schellman appears to use traditional audit processes. This may mean slower evidence collection and less real-time visibility.

3. Scale vs. Personalization Trade-off 700+ clients, 1,000+ reports annually = potential to feel like a number rather than receiving boutique white-glove service.

4. Private Equity Ownership Lightyear Capital exit pressure (5-7 year timeline from 2021) could drive aggressive growth tactics or eventual sale/IPO.

Strategic Initiatives & Growth Trajectory

2021-2026 Focus (Under Avani Desai + Lightyear Capital):

1. Government Market Expansion:

• Facility Security Clearance (2025) - classified DoD assessments
• CMMC 2.0 reauthorization - defense contractor market
• StateRAMP growth - state/local government cloud

2. Acquisitions:

• INSYTE CPAs (August 2024) - geographic expansion and SOC capability
• Sustainability firm (2023) - ESG services diversification

3. Emerging Compliance:

• ISO 42001 AI governance
• EU AI Act advisory
• Web3/blockchain attestations
• Sustainability/ESG reporting

4. International Expansion:

• TISAX (European automotive)
• HDS (French healthcare)
• Continued global accreditation strategy

Bottom Line

Schellman represents Top 50 CPA firm quality with government/defense specialization. Their #1 FedRAMP 3PAO position combined with unique Facility Security Clearance creates a defensive competitive moat for classified government work that competitors cannot easily replicate.

“The Power of One” cross-compliance positioning is backed by genuine capability: 1,000+ SOC reports annually, ANAB-accredited ISO certification body, leading FedRAMP practice, HITRUST assessor, PCI QSA, and international reach (TISAX, HDS). This breadth executed at scale differentiates Schellman from both boutique specialists (limited scope) and Big 4 (higher cost).

For defense contractors needing CMMC + FedRAMP, federal agencies requiring FedRAMP, or classified systems operators, Schellman’s unique FCL capability makes them the only viable choice for certain assessments. Healthcare organizations needing HITRUST + HIPAA + SOC 2 bundles also benefit from their cross-compliance expertise.

The Top 50 CPA firm brand provides credibility for investor/customer confidence without Big 4 pricing, while 20+ years of compliance focus demonstrates staying power and institutional knowledge.

However, Schellman is optimized for enterprise and government clients, not price-sensitive startups or organizations wanting boutique personalization. The lack of proprietary technology platform (like A-LIGN’s A-SCEND) may mean traditional audit processes rather than tech-enabled efficiency. Private equity ownership introduces potential exit timeline pressures.

If you’re a defense contractor, federal agency, healthcare organization, or enterprise requiring multiple compliance frameworks with Top 50 brand prestige, Schellman’s combination of government expertise, cross-compliance capability, and institutional maturity makes them a top-tier choice - particularly if classified assessment capability matters for current or future needs.