Last fall, George Kurtz, the chief executive officer of CrowdStrike Holdings Inc., gave investors a quarterly financial update that sent shares soaring. Among the details Kurtz highlighted was a major deal to sell cybersecurity tools for use by the U.S. government.
“Identity threat protection wins in the quarter included an eight-figure total deal value win in the federal government,” Kurtz said on the earnings call after markets closed on Nov. 28, 2023.
Kurtz was referring to a $32 million order from Carahsoft Technology Corp., which serves as a middleman between technology companies and government agencies, that arrived on the last day of CrowdStrike’s fiscal third quarter. It was for identity threat protection software intended for the Internal Revenue Service, according to documents from both companies.
But the IRS never bought the software, according to records reviewed by Bloomberg News and people with knowledge of the situation.
Still, Carahsoft has been making on-time payments on the $32 million to CrowdStrike, according to the cybersecurity firm. When asked for comment by Bloomberg News, both companies explained that they had a “non-cancellable order” between them. They declined to say why that deal was struck without a purchase in place from the IRS.
Some legal and accounting experts, who reviewed the arrangement at Bloomberg’s request, said it raises red flags that merit scrutiny from regulators. The deal also raised concerns within CrowdStrike — according to people familiar with the matter and the company itself — and many specifics of the transaction remain unclear.
CrowdStrike’s offices in Sunnyvale, California.
Benjamin Fanjoy/Bloomberg
Depending on how CrowdStrike accounted for the deal in financial statements — the company didn’t explain those details — it was big enough that it could have made the difference between the company beating or missing Wall Street projections for the period. The day after CrowdStrike reported results for the record quarter, its shares rose 10%.
Jeremy Fielding, a spokesperson representing CrowdStrike, dismissed employees’ concerns as baseless and the order’s timing as insignificant. The Austin, Texas-based cybersecurity firm closes deals “throughout the quarter, starting the first day and often through the last day,” he said.
“The Carahsoft deal went through a separate and extensive review,” he said, adding that it “was given a clean bill of health.” Fielding characterized the experts’ comments as “inaccurately speculating about a transaction that CrowdStrike confirmed fully met” an accounting standard on revenue from contracts.
CrowdStrike “closed and recognized” the deal once Carahsoft placed the order, and its booking of the revenue is consistent with standard accounting principles, according to Thomas Clare and Elizabeth Locke, lawyers representing the cybersecurity company.
A representative of Carahsoft, Mary Lange, said in an email, “Carahsoft is a private company and we do not disclose financial information or customer details. That said, we placed a valid, non-cancellable order with CrowdStrike and stand by that transaction.” The company declined to answer any other questions.
The IRS didn’t answer detailed questions. The tax agency said in a statement that it doesn’t hold any contracts with CrowdStrike directly and, in keeping with federal procurement rules, acquires its software and services through third-party vendors.
No IRS contract or payments matching the deal appear in the public government spending database USASPENDING.gov. The database excludes some information — for instance, material that could compromise national security. But the tax agency’s purchases of CrowdStrike’s products through vendors total less than $10 million, according to a person familiar with the matter.
This story is based on records of the transaction and interviews with five people familiar with the matter, who requested that their names not be published because they aren’t authorized to discuss it.
“It raises an eyebrow,” said Lawrence Cunningham, director of the University of Delaware’s John L. Weinberg Center for Corporate Governance.
“It appears on its face to be uncompensated risk, and rational businesses don’t usually accept uncompensated risk,” Cunningham said, referring to Carahsoft’s payments to CrowdStrike.
Carahsoft declined to answer questions about whether it was taking a loss on the deal or if it found a way to recoup the money.
In recent months, separate issues at CrowdStrike and Carahsoft have drawn negative attention and government scrutiny.
CrowdStrike, with annual revenues of more than $3 billion, sells security software to thousands of businesses and government agencies globally. But in July, a flawed update from the firm knocked out millions of Windows computers around the world, disrupting air travel, medical care, banks and other businesses. Executives have apologized repeatedly, including before members of Congress; the company’s share price plummeted after the outage and hasn’t fully recovered.
Carahsoft is a dominant player among resellers and distributors that help technology companies navigate the complexities of selling to government agencies. In September, agents from the FBI and the Department of Defense searched the company’s Reston, Virginia, headquarters. Lange, the Carahsoft spokesperson, previously said the company was cooperating with the FBI probe and that it involved “an investigation into a company with which Carahsoft has done business in the past.”
The Justice Department is also conducting a civil probe of Carahsoft and software giant SAP SE for potential price fixing on government contracts. The German firm is cooperating with the civil probe, a spokesperson said. SAP chief financial officer Dominik Asam told Bloomberg News that SAP had “gotten written assurance from Carahsoft” that the FBI search was “entirely unrelated” to SAP and a U.S. subsidiary.
There’s no known link between CrowdStrike and either the civil investigation or search of Carahsoft’s office. Fielding, the CrowdStrike representative, said neither investigation is connected to the cybersecurity company.
A potential deal for the IRS dates to early 2023, when CrowdStrike sales representatives began talking with agency officials about buying an identity verification tool to help prevent fraud in a new program that lets people file their taxes directly with the government, according to three people familiar with the matter.
Work continued on a potential deal in the following months, but by mid-October it had become clear to at least some CrowdStrike staff that the IRS wouldn’t order the software before the company’s quarter closed at the end of the month, the people said.
Nevertheless, on Halloween, Carahsoft ordered $32.25 million worth of subscription access to CrowdStrike’s “Government National Identity Threat Protection” service for as many as 40 million users, according to records and two of the people. The order split the purchase into four $8 million payments, with the final payment due at the end of this October. The order indicates that Carahsoft should be billed for the CrowdStrike software and that it should be shipped to the IRS’s Washington headquarters.
That day, CrowdStrike sent an automated email to dozens of staff, saying, “Opportunity has been Closed Won for Internal Revenue Service (IRS).”
The closing of the deal and Kurtz referring to it on the earnings call alarmed some staff who raised internal concerns that CrowdStrike was “pre-booking” a transaction that they viewed as incomplete because it was unclear whether the IRS would ever make the large purchase, according to three of the people. U.S. regulators have in some cases sued and fined companies over alleged pre-booking, also known as channel stuffing, claiming they misled investors by improperly recognizing revenue to inflate their financial figures.
Fielding said it was “demonstrably false” that there was any pre-booking.
That quarter, $32 million was enough to make the difference between CrowdStrike beating analysts’ expectations on two key financial metrics — annual recurring revenue and net new annual recurring revenue — or falling short of them. CrowdStrike highlighted both metrics in the earnings announcement for the quarter, but the company declined to answer questions about whether the deal was recorded under them.
Annual recurring revenue is widely used by software companies to track income from subscriptions. CrowdStrike has consistently emphasized it with investors, writing in a 2019 regulatory filing that it “is a key metric to measure our business.”
Theresa Gabaldon, a professor at the George Washington University Law School, said that for CrowdStrike to appropriately book the deal as revenue it would need to have not only received payment but also delivered the product. Neither CrowdStrike nor Carahsoft answered questions about what became of the subscription software.
“I characterize it as raising red flags,” Gabaldon, who teaches securities regulation, law and accounting, said of the deal.
Whatever happened, Carahsoft was among the companies that CrowdStrike feted at a June “partner symposium.” There, Kurtz and other CrowdStrike staff mingled with guests at a luxury resort on the southern California coast. A video shows attendees enjoying drinks and live string music on a bluff overlooking the Pacific Ocean and getting sushi-making lessons from a celebrity chef.
At the event, CrowdStrike named Carahsoft “Distributor of the Year.”
The International Auditing and Assurance Standards Board is proposing to tailor some of its standards to align with recent additions to the International Ethics Standards Board for Accountants’ International Code of Ethics for Professional Accountants when it comes to using the work of an external expert.
The IAASB is asking for comments via a digital response template that can be found on the IAASB website by July 24, 2025.
In December 2023, the IESBA approved an exposure draft for proposed revisions to the IESBA’s Code of Ethics related to using the work of an external expert. The proposals included three new sections to the Code of Ethics, including provisions for professional accountants in public practice; professional accountants in business and sustainability assurance practitioners. The IESBA approved the provisions on using the work of an external expert at its December 2024 meeting, establishing an ethical framework to guide accountants and sustainability assurance practitioners in evaluating whether an external expert has the necessary competence, capabilities and objectivity to use their work, as well as provisions on applying the Ethics Code’s conceptual framework when using the work of an outside expert.
President Donald Trump’s tariffs would effectively cause a tax increase for low-income families that is more than three times higher than what wealthier Americans would pay, according to an analysis from the Institute on Taxation and Economic Policy.
The report from the progressive think tank outlined the outcomes for Americans of all backgrounds if the tariffs currently in effect remain in place next year. Those making $28,600 or less would have to spend 6.2% more of their income due to higher prices, while the richest Americans with income of at least $914,900 are expected to spend 1.7% more. Middle-income families making between $55,100 and $94,100 would pay 5% more of their earnings.
Trump has imposed the steepest U.S. duties in more than a century, including a 145% tariff on many products from China, a 25% rate on most imports from Canada and Mexico, duties on some sectors such as steel and aluminum and a baseline 10% tariff on the rest of the country’s trading partners. He suspended higher, customized tariffs on most countries for 90 days.
Economists have warned that costs from tariff increases would ultimately be passed on to U.S. consumers. And while prices will rise for everyone, lower-income families are expected to lose a larger portion of their budgets because they tend to spend more of their earnings on goods, including food and other necessities, compared to wealthier individuals.
Food prices could rise by 2.6% in the short run due to tariffs, according to an estimate from the Yale Budget Lab. Among all goods impacted, consumers are expected to face the steepest price hikes for clothing at 64%, the report showed.
The Yale Budget Lab projected that the tariffs would result in a loss of $4,700 a year on average for American households.
Artificial intelligence is just getting started in the accounting world, but it is already helping firms like technology specialist Schellman do more things with fewer people, allowing the firm to scale back hiring and reduce headcount in certain areas through natural attrition.
Schellman CEO Avani Desai said there have definitely been some shifts in headcount at the Top 100 Firm, though she stressed it was nothing dramatic, as it mostly reflects natural attrition combined with being more selective with hiring. She said the firm has already made an internal decision to not reduce headcount in force, as that just indicates they didn’t hire properly the first time.
“It hasn’t been about reducing roles but evolving how we do work, so there wasn’t one specific date where we ‘started’ the reduction. It’s been more case by case. We’ve held back on refilling certain roles when we saw opportunities to streamline, especially with the use of new technologies like AI,” she said.
One area where the firm has found such opportunities has been in the testing of certain cybersecurity controls, particularly within the SOC framework. The firm examined all the controls it tests on the service side and asked which ones require human judgment or deep expertise. The answer was a lot of them. But for the ones that don’t, AI algorithms have been able to significantly lighten the load.
“[If] we don’t refill a role, it’s because the need actually has changed, or the process has improved so significantly [that] the workload is lighter or shared across the smarter system. So that’s what’s happening,” said Desai.
Outside of client services like SOC control testing and reporting, the firm has found efficiencies in administrative functions as well as certain internal operational processes. On the latter point, Desai noted that Schellman’s engineers, including the chief information officer, have been using AI to help develop code, which means they’re not relying as much on outside expertise on the internal service delivery side of things. There are still people in the development process, but their roles are changing: They’re writing less code, and doing more reviewing of code before it gets pushed into production, saving time and creating efficiencies.
“The best way for me to say this is, to us, this has been intentional. We paused hiring in a few areas where we saw overlaps, where technology was really working,” said Desai.
However, even in an age awash with AI, Schellman acknowledges there are certain jobs that need a human, at least for now. For example, the firm does assessments for the FedRAMP program, which is needed for cloud service providers to contract with certain government agencies. These assessments, even in the most stable of times, can be long and complex engagements, to say nothing of the less predictable nature of the current government. As such, it does not make as much sense to reduce human staff in this area.
“The way it is right now for us to do FedRAMP engagements, it’s a very manual process. There’s a lot of back and forth between us and a third party, the government, and we don’t see a lot of overall application or technology help… We’re in the federal space and you can imagine, [with] what’s going on right now, there’s a big changing market condition for clients and their pricing pressure,” said Desai.
As Schellman reduces staff levels in some places, it is increasing them in others. Desai said the firm is actively hiring in certain areas. In particular, it’s adding staff in technical cybersecurity (e.g., penetration testers), the aforementioned FedRAMP engagements, AI assessment (in line with recently becoming an ISO 42001 certification body) and in some client-facing roles like marketing and sales.
“So, to me, this isn’t about doing more with less … It’s about doing more of the right things with the right people,” said Desai.
While these moves have resulted in savings, she said that was never really the point, so whatever the firm has saved from staffing efficiencies it has reinvested in its tech stack to build its service line further. When asked for an example, she said the firm would like to focus more on penetration testing by building a SaaS tool for it. While Schellman has a proof of concept developed, she noted it would take a lot of money and time to deploy a full solution — both of which the firm now has more of because of its efficiency moves.
“What is the ‘why’ behind these decisions? The ‘why’ for us isn’t what I think you traditionally see, which is ‘We need to get profitability high. We need to have less people do more things.’ That’s not what it is like,” said Desai. “I want to be able to focus on quality. And the only way I think I can focus on quality is if my people are not focusing on things that don’t matter … I feel like I’m in a much better place because the smart people that I’ve hired are working on the riskiest and most complicated things.”