Big Changes Coming to CMS Program Audits in 2026
Sevana Health Team
November 24, 2025
CMS just released their 2026 Program Audit Updates memo (November 20, 2025), and there are significant shifts that compliance teams need to prepare for now. Here's what you need to know.
Source Document:
This analysis is based on the official CMS memo dated November 20, 2025, from John A. Scott, Director of Medicare Parts C and D Oversight and Enforcement Group, addressed to all current and prospective Medicare Advantage, Prescription Drug, and Section 1876 Cost Plans.
The Major Changes
1. Scoring is Gone & Classifications are Simplified
CMS is eliminating audit scoring and the ICAR/ORCA classifications. The scoring system, introduced in 2012, has been discontinued because CMS concluded it doesn't fully reflect a Sponsor's audit performance or overall compliance posture.
The new framework focuses on three clear categories:
CAR
Corrective Action Required
A finding of noncompliance that requires correction to strengthen internal controls, prevent future noncompliance, and/or ensure enrollee impact is resolved.
Observation
No CAP Required
A finding of noncompliance that CMS determines does not require submission of a corrective action plan. Sponsors should monitor to ensure ongoing compliance.
IDS
Invalid Data Submission
Cited when a Sponsor has failed to produce an accurate or complete universe and/or documentation to CMS. This remains a primary trigger for universe failures.
Key Implication:
With ICAR and ORCA gone, IDS remains the critical "fail" state for data submissions. Data quality is now effectively a standalone failure mode.
2. Compliance Program Effectiveness (CPE) Gets Real
CMS is piloting a new approach that looks beyond "policies on paper." Historically, CPE evaluation relied on Sponsors demonstrating how they adopted and implemented compliance program policies and procedures.
The new approach shifts to be more consistent with how compliance oversight is actually conducted by Sponsors:
What to Expect in 2026 CPE Reviews
- 1.In-depth discussions with auditors about how you prevent, detect, and correct noncompliance related to audited program areas
- 2.Operational focus on how your compliance program impacts your ability to comply with CMS requirements during daily business operations
- 3.Fieldwork discussions between compliance officers and CMS about monitoring activities, noncompliance identified during audit fieldwork, and actionable plans to prevent recurrence
- 4.Root cause collaboration where compliance teams work with program area SMEs to identify why noncompliance occurred and oversee correction
Under this pilot, findings specific to compliance program structure will generally not be cited. CMS will still collect some CPE protocol information, including the Compliance Oversight Activities (COA) universe, but primarily to help identify why noncompliance occurred.
3. Independent Validation Audits are Evolving
The Good News
Simple fixes (like updating appeal templates) no longer trigger a full validation audit. CMS will validate these through either a webinar or document review once the Sponsor has implemented their corrective action plan.
The Threshold
Complex findings still require a validation audit. If you have more than 5 conditions flagged as "in need of a validation audit," you must hire an independent auditor. If you have 5 or fewer, CMS will conduct the validation themselves.
CMS will flag complex findings as "in need of a validation audit" in the audit report. This change should reduce the number of instances requiring independent auditors and limit validation audits to findings that truly need that level of testing.
4. Quarterly Compliance Calls are Coming
In a move toward transparency, CMS will begin hosting quarterly educational calls with industry compliance officers. The purpose:
- Share information about compliance issues detected during program audits
- Facilitate meaningful dialogue to identify potential best practices
- Allow compliance officers to collaborate and discuss improvements
- Strengthen compliance programs industry-wide
CMS will release more information about these calls in the coming months.
5. Data Collection Updates
CMS is continuing to suspend collection of:
- •FA Table 3: Prescription Drug Event (PDE)
- •CDAG Table 7: Comprehensive Addiction and Recovery Act (CARA) At-Risk Determination
- •ODAG Table 6: Dual Special Needs Plan - Applicable Integrated Plan Reductions, Suspensions, and Terminations (AIP)
What This Means for 2026 Prep
Data Quality is a Standalone Failure Mode
With ICAR/ORCA gone, IDS remains the critical failure state for data. Universe file accuracy is more important than ever.
Your CPE Needs Teeth
Policies aren't enough—you need to demonstrate operational effectiveness. Be prepared to discuss how your compliance program actually prevents, detects, and corrects noncompliance in daily operations.
Get Ahead of Universe Errors
Catching data issues before submission is now your best defense against an IDS citation. Proactive validation is essential.
General Audit Updates
- •Audit engagement letters will be sent February through August 2026
- •Fieldwork continues across two weeks, with audited program areas spread out due to CPE changes
- •All Part C audits will continue assessing compliance with coverage and utilization management requirements (CMS-4201-F)
Why We Built Our Universe Scrubber This Way
At Sevana Health, these changes reinforce why we built our CMS Universe Scrubber the way we did—validating your CDAG, ODAG, FA, and SNPCC files to catch errors before CMS finds them. With IDS now the primary data failure classification, proactive validation isn't just good practice—it's your best defense.