CMS Audit Preparation for Medicare Advantage Plans: A 2026 Guide

The 2026 CMS Program Audit cycle runs against a reset framework. Scoring is retired, the old ICAR/ORCA finding classifications are gone, and the new CAR/Observation/IDS framework is in place. CPE evaluation now happens through Collaborating on Compliance. Preparation that worked for the 2024 playbook will fall short. This guide walks through what audit preparation looks like under the current rules.

What audits look like in 2026

A CMS Program Audit in 2026 is still a multi-month engagement. The audit type and scope determine which universes you submit and which operational areas are reviewed, but the structural elements are consistent: an Engagement Letter arrives, universes are due, fieldwork happens, findings are issued, and corrective actions follow.

What is different in 2026 is how findings are classified and how CPE is evaluated:

CAR

Corrective Action Required. The sponsor must submit a documented corrective action plan to strengthen controls or resolve enrollee impact.

Observation

A finding that does not require a CAP. The sponsor should monitor to prevent recurrence but no formal remediation plan is required.

IDS

Invalid Data Submission. Cited when universe files fail integrity testing after three submission attempts. IDS lands on the audit record.

For deeper coverage of the framework shift, see our piece on the 2026 CMS Program Audit changes.

The 90-day preparation window

Once the Engagement Letter arrives, the clock starts. Plans that begin preparation only at that point are reactive. Plans that have been treating compliance as a continuous operation are organizing existing artifacts, not creating new ones. The work below assumes you have roughly 90 days from notification to fieldwork.

Days 1 to 30Universe file validation and CAR status

• Pull universe files for every protocol in scope (ODAG, CDAG, FA, SNPCC, CPE COA)
• Validate row by row against current CMS specifications, not the version from your last submission
• Identify and fix the issues that would trigger IDS before the audit submission
• Review the status of every open CAR from prior cycles; an unresolved CAR will surface as an issue
• Reconcile linked tables (OD to Reconsideration to Effectuation, for example) to catch cross-table inconsistencies

Days 31 to 60COA universe and oversight documentation

• Assemble the COA universe with documented oversight activities mapped to operational areas
• Verify each oversight activity has supporting evidence: agendas, minutes, monitoring reports, investigation records
• Cross-check that any deficiencies surfaced by oversight have documented corrective action follow-through
• Confirm balance across Auditing, Monitoring, and Investigation activity types, and across Compliance and FWA focus areas
• Pull memo-to-policy traceability records for any HPMS memos that affected scoped operational areas during the audit period

Days 61 to 90Mock review and team readiness

• Run a mock review of universes and COA documentation against the relevant CMS protocols
• Walk through how the compliance team will tell the oversight story under Collaborating on Compliance
• Confirm subject matter experts are identified and available for each protocol area
• Finalize the document retrieval process so requested artifacts can be produced within auditor timelines
• Brief leadership on the audit scope, expected timeline, and any known risk areas

Documentation that auditors expect

The documentation requirements have not fundamentally changed, but the 2026 framework makes some items more consequential. The list below covers what fieldwork teams typically request:

Compliance program structure

• Board-approved compliance program charter
• Compliance officer responsibilities and reporting line
• Compliance Committee charter and meeting minutes
• Annual compliance program assessment

Policies and procedures

• Code of conduct and standards of business ethics
• FWA program documentation and reporting procedures
• Incident response and investigation protocols
• Memo-to-policy traceability records

Oversight evidence

• COA universe submission
• Auditing, monitoring, and investigation reports tied to operational areas
• Trend analysis and risk assessment outputs
• Compliance metrics and reporting cadence

Corrective action records

• Open CARs from prior audits with status
• Root cause analyses for identified deficiencies
• Evidence of remediation completion
• Validation that controls held over time

The platform modules that help with each area: CMS Universe Scrubber for universe data quality, Compliance Metrics for monthly and quarterly oversight capture, Compliance Work Plan for CAR tracking, AI Policy Intelligence and Guidance Distribution for memo-to-policy traceability, and Risk Assessment for the structured risk evaluation auditors expect.

Universe file submission, in detail

Universe files are where most audits go wrong, and the three-attempts-then-IDS rule makes pre-submission validation critical. Each protocol carries its own structure, fields, and common failure modes:

• ODAG covers six tables: OD, Reconsiderations, Payment, Effectuations, Grievances, AIP
• CDAG mirrors ODAG for Part D coverage determinations
• FA covers formulary administration
• SNPCC applies to special needs plans
• CPE COA captures oversight activities

Across all five protocols, the validation rule count crosses 1,600. Manual checks miss errors that row-by-row automated validation catches in seconds. The classes of issues that most commonly trigger IDS:

• Sequencing errors across linked tables, where dates do not align between an OD and its Reconsideration
• Missing or invalid codes in required fields against the current CMS specifications
• Duplicate records or inconsistent member identifiers across the universe
• Timeliness calculations that do not match CMS expectations for the case type
• Off-by-one errors in the audit period boundaries

Telling the oversight story under Collaborating on Compliance

Under the previous CPE model, the compliance team was largely defensive: respond to findings, submit a CAP within three business days, move on. Under Collaborating on Compliance, the team walks the auditor through what the COA universe shows: which operational areas have documented oversight, what activities were performed, what deficiencies were identified, and how each deficiency was corrected.

The COA universe drives the conversation. A thin or generic COA submission produces a short, defensive conversation. A well-populated COA submission supported by accessible evidence produces a productive one. For more on what auditors actually look for in COA data, see our piece on the CPE COA universe under Collaborating on Compliance.

During the audit

When fieldwork begins, three things matter: response speed on requested documents, accuracy of every artifact produced, and consistency of the story across multiple subject matter experts. A few practical guidelines:

• Designate a single point of contact for auditor communications; route requests through that contact rather than scattering them across the organization
• Keep a log of every requested document and its delivery status; auditors notice patterns
• When responding, provide the requested artifact plus a brief context note explaining how to read it; do not assume the auditor knows your system
• Be honest about gaps; volunteering a known weakness with a credible remediation plan tends to land better than appearing surprised when an auditor finds it
• Run a daily internal debrief during fieldwork to catch emerging issues early

Common pitfalls in 2026 audits

Top pitfalls compliance teams encounter

1. Submitting universes without independent validation against the current CMS specifications
2. Treating the COA universe as a compliance checkbox rather than the evidence base for the audit conversation
3. Carrying open CARs into the new audit with no documented progress
4. Missing memo-to-policy traceability for HPMS memos in the audit period
5. Inconsistent answers from different SMEs because nobody walked the team through the oversight story together
6. Reactive document retrieval that pushes against auditor deadlines
7. Overweighting policy documents at the expense of operational evidence; auditors care about what actually happened, not just what was supposed to happen

Where this leaves your team

The 2026 framework rewards plans that built compliance as a continuous operation. The work of universe validation, oversight capture, memo-to-policy traceability, and CAR resolution does not stop after fieldwork. It is the ongoing work that produces a good audit, and a good audit produces a credible compliance program. The plans that adapted their tooling have an easier time, partly because the auditor conversation is grounded in artifacts that already exist.

The platform modules referenced throughout this guide are designed for exactly this continuous operation, so universe data, oversight evidence, corrective actions, and policy traceability are produced as byproducts of normal work rather than scrambled together in preparation week.