When the Engagement Letter Lands: A 30-Day Playbook for the 2026 CMS Audit Cycle

The engagement letter usually lands on a Monday. You see the email in the queue before you've finished your coffee. The subject line is calm and bureaucratic. The contents are not, even though they read like a template, because you have just learned that the next 90 days of your professional life are going to look very different from the 90 days you had planned.

I served as Chief Compliance Officer at Solis Health Plans, a Florida-based Medicare Advantage plan, for more than four years, and led quality and operations at the same plan before that. I now advise health plans on compliance and risk in a consulting capacity. The pattern I saw across multiple CMS program audit cycles, in our own work and in the plans I advise today, is consistent. The plans that come out of fieldwork with clean reports do not have larger compliance teams, smarter consultants, or magic software. They have a tighter operating discipline in the first 30 days after the letter arrives.

This post is what I would do, knowing what I now know, in the first 30 days after a 2026 engagement letter lands. It is opinionated on purpose. Take what's useful and ignore the rest.

The thesis: most plans lose the audit before fieldwork starts

Fieldwork is two weeks. The universe production window is 15 business days. Most teams treat those as the audit. They are not. They are the visible part of the audit.

The audit is actually won or lost in days 1 through 30, in three quiet decisions that almost nobody documents:

1. Whether the right people are at the right table by Friday of week one.
2. Whether the universes you build are the universes you can defend, not the universes you can produce.
3. Whether your compliance program effectiveness story is something you can tell, or something you assemble.

Under the 2026 framework (CAR, Observation, IDS replacing the old ICAR and ORCA categories), the audit is more conversational. CPE has moved out of its own session and into fieldwork. The “discussion-based” pilot sounds friendlier on paper. In practice, it raises the bar because auditors now expect a credible story, not a rehearsed one. A plan that can't talk fluently about how it identifies, escalates, and remediates compliance issues is a plan that gets findings, no matter how clean the documentation looks.

So that is the frame. Here is the playbook.

Days 1 to 3: the three calls you should not delegate

Most teams spend the first few days assembling task lists, mock-audit decks, and Gantt charts. That work matters, but it is not the work of days 1 to 3. The work of days 1 to 3 is three direct conversations:

Your Senior Leadership Team (SLT). Tell them what the audit is, what the timeline looks like, what could go wrong, and what you need from them. Get explicit air cover for two things: (1) you may need to interrupt operational leaders' calendars on short notice over the next 60 days, and (2) the universe production window is going to surface delegated entity issues that may require uncomfortable conversations with vendors the plan has reasons to like. The SLT who hears this in week one is not surprised in week four. The SLT who hears it for the first time in week four is a problem.

Your delegated entities. Specifically, every TPA, PBM, or vendor who will be producing universe data for ODAG, CDAG, FA, or SNPCC. Not their account manager. The person who actually runs the data extract. If you have a 15-business-day production window, they have something less. Tell them that. Ask them what they have not produced in the last 6 months. Ask them when they last validated against current CMS specs. The answer to this question is the single best leading indicator of how the next 30 days will go.

Your own compliance leadership. Quarterly mock audits, monthly metrics, the COA universe you have been building (or have not been building), the open CAPs you have inherited, the prior audit's findings. Be honest with each other about what you can and cannot defend if the auditor asks. The plans I have seen in trouble are not the plans that knew they had gaps. They are the plans that did not.

If you only do three things in week one, do those.

Readiness add-on (Days 1 to 3)

• Stand up a dated audit-response binder/SharePoint site on day 1: engagement letter, audit scope, protocol versions in effect, key dates, named owners by protocol (ODAG, CDAG, SNPCC, FA, CPE), and a single point of contact for CMS correspondence.
• Confirm the current CMS Program Audit Protocols and data request specs are the versions you are building to, and lock the version reference in writing so every downstream team and delegated entity is working from the same layout.
• Pull the prior audit's findings, open CAPs, and validation/independent-audit results, and map each to a current owner and status before fieldwork. Unclosed prior findings are the first thing auditors test for recurrence.
• Verify every delegated-entity contract has current data-integrity, audit-cooperation, and turnaround obligations that match the production window, and that 42 CFR Part 438 / MA delegation oversight documentation (delegation agreements, most recent delegation audits) is on hand.

Days 4 to 10: the universe assembly trap

Here is where most plans go off the rails: they treat universe assembly as a production task, when it is actually a defensibility task.

The difference matters. A production task asks “can we generate these tables in the format CMS wants by the deadline?” A defensibility task asks “can we explain every value in every cell, and trace it back to source data, and reproduce it tomorrow if asked?” Those are not the same question.

In the 2026 framework, Invalid Data Submission (IDS) is the standalone fail state for universe quality. CMS gives you up to three submission attempts. After three, the protocol is cited as IDS and there is no path to recover within the cycle. IDS is the single most common audit-killer I have seen, and it is almost always preventable.

What I would do in days 4 to 10:

1. Validate universe files against current CMS specs before they are submitted, not after CMS rejects them. Several hundred row-level rules in a tool like Sevana's Universe Scrubber catch the things humans miss. But even without software, an internal pre-flight pass against the published CMS layouts is non-negotiable. If your team has been doing this monthly, you are in a different position than the team doing it for the first time when the letter arrives.
2. Build the inter-field logic check, not just the field-presence check. CMS integrity testing in the five days after universe submission is heavily focused on cross-field consistency: dates that don't reconcile, effectuations that don't match determinations, payments that don't match the underlying decision. A universe that passes a “did we populate every field” check still fails if the logic is internally inconsistent.
3. Document your assumptions. Every gray area in the CMS specs forces an interpretation. Write yours down, with the date, the rationale, and who signed off. If CMS asks during fieldwork why a field was populated a particular way, the answer “we decided in March, here's the memo” is dramatically better than “we'll have to get back to you.”

Readiness add-on (Days 4 to 10)

• Run a full mock universe pull end to end for each protocol against the real production window timeline, so you discover extract, timing, and volume problems before CMS does, not during the live 15 business day window.
• Reconcile universe record counts back to source systems and to operational reports (claims, authorizations, grievances/appeals logs) so you can prove completeness, not just format compliance, and explain any variance.
• Build a single assumptions/data-dictionary log shared with delegated entities so the plan and every vendor populate ambiguous fields identically; inconsistent interpretations across entities are a common inter-field logic failure.
• Pre-stage timeliness evidence for the records most likely to be sampled: effectuation dates, notification dates, and decision timeframes, with the source timestamp for each, so test-case deep dives during fieldwork are answerable on the spot.

Days 11 to 20: the conversation nobody schedules

This is the call that almost nobody puts on the calendar, but every plan that gets through audit cleanly has it: a structured, hour-long conversation with each delegated entity's data lead, focused exclusively on the universe production for this audit.

Not a status check. Not a stand-up. A real one-hour conversation with three agenda items:

1. Their error rates by protocol over the last six universe submission cycles. If they don't have these numbers, you have a problem you didn't know you had.
2. Which of your team's data definitions they interpret differently than you do. I have never had this conversation and not surfaced at least one material disagreement. The smaller the disagreement looks, the more it matters.
3. What they would do differently if they had three more weeks. The answer to this question is, in most cases, exactly the thing you need them to do now.

If the delegated entity is uncomfortable having this conversation, that is information. Plans that delegate operational work but not operational accountability tend to get audit findings. The 2026 framework is explicit that the plan, not the vendor, owns the data integrity outcome. Make sure the vendor knows you know that.

Readiness add-on (Days 11 to 20)

• Collect each delegated entity's current SOC reports, most recent internal/external audit results, and any open corrective actions, and confirm they map to the delegation oversight requirements in the contract and in 42 CFR Part 438.
• Get written confirmation of each vendor's production timeline within your window, their named data lead and backup, and their escalation path if an extract fails mid-window.
• Document every data definition disagreement surfaced in the one-hour calls, with the agreed resolution and who owns it, so the resolution itself becomes defensible audit evidence.
• Schedule mock interviews and webinar walk-throughs with the operational and delegated-entity staff most likely to be pulled into test case discussions, so the people who answer auditor questions have rehearsed against their own data.

Days 21 to 30: a CPE story you can actually tell

Under the new framework, Compliance Program Effectiveness moves out of its own audit session and into the fieldwork conversation. The COA universe is now the spine of that conversation. A thin COA universe makes for a short, defensive discussion. A well-populated COA universe with documented oversight activities makes for a productive one.

What auditors are listening for, in my experience: can you tell me how you identified your most significant compliance risk in the last 12 months, what you did about it, and how you know it worked? If you can answer that question in three sentences with specifics, the rest of the CPE conversation goes well. If you can't, no amount of polish in the rest of fieldwork will rescue it.

Days 21 to 30 are when you stress-test your CPE story. Not your CPE documentation. Your story. Talk through it with your General Counsel, your COO, and two of your operational leaders. If they push back on a thread, an auditor will too. The goal is not to memorize. The goal is to make sure the story is true, defensible, and easy to tell.

Readiness add-on (Days 21 to 30)

• Assemble the CPE evidence trail behind the story: risk assessment, work plan, monitoring and auditing results, issue logs, root-cause analyses, CAPs and their closure evidence, and Compliance Committee/Board minutes showing oversight, all dated and linked from the COA universe.
• Confirm the seven compliance program elements are each evidenced (policies, oversight, training, communication, monitoring/auditing, enforcement/discipline, and prompt response/corrective action) and that FWA and SIU activity is documented and current.
• Verify training completion (compliance, FWA, and any role-specific) for employees and delegated entities, with exception tracking, since incomplete training is a fast and common Observation/CAR.
• Prepare a one-page fieldwork logistics and roles sheet: who presents each protocol, who runs screen-shares, the entrance/exit conference attendee list, and a process for capturing and turning around auditor follow-up requests same day.

What's actually different in 2026

If you led compliance through cycles before 2026, three things have changed enough to merit a reset:

Findings classification. ICAR and ORCA are gone. CAR and Observation are the two categories of substantive findings. IDS is a separate, third category for universe data integrity. The structural simplification is welcome. The practical implication is that IDS is now a cleaner, more visible signal to your board and to CMS that the plan's data is not under control. Treat it as such.

No scoring. CMS will not assign point values to findings. This sounds like good news. It is also a signal that CMS expects compliance officers to bring more judgment to which findings matter and why. The plans that benefit are the ones whose compliance leaders can speak to materiality, root cause, and remediation in operational terms. The plans that lose ground are the ones that relied on the scoring scaffold to do the prioritization work.

Discussion-based CPE. The pilot is called “Collaborating on Compliance.” It is friendlier in name and harder in practice. Auditors want a conversation, and conversations expose weak operating models in ways that document requests never did.

Closing thought

Audits are not the test. They are the audit of the test. The test happens during the rest of the year, every month, in the quiet decisions about whether you validate universes before or after submission, whether you treat delegated entity oversight as contractual or operational, whether you build CPE evidence as a byproduct of normal work or as a sprint in audit-prep month.

The 30-day playbook above is what you do when the test is already over and the audit has begun. Most plans I have worked with can run this playbook well, given enough discipline and air cover. The plans that cannot are the plans that, on day 31, are still finding out things they should have known on day 1.

If the engagement letter has not landed yet, you still have time to make day 1 easier. If it has, the first three calls are the place to start.

Cross-cutting readiness items (all 30 days)

• Maintain a master audit calendar with every CMS deadline (universe submission, integrity testing, webinars, fieldwork, exit) and an internal buffer date ahead of each, owned by a single coordinator.
• Confirm HPMS access, secure file-transfer, and credentials for everyone who submits or presents, and test them before the window opens; access failures burn days you cannot recover.
• Keep a live HPMS memo-to-policy traceability log so that, for any guidance an auditor cites, you can show the memo, the policy or procedure it updated, the effective date, and proof of implementation.
• Run at least one full mock audit (or independent readiness review) covering universe pulls, test-case deep dives, and the CPE conversation, and log resulting gaps as pre-audit CAPs you can show you are already remediating.
• Define a self-disclosure posture in advance: how the team escalates and documents any issue it finds during prep, so a self-identified, already-remediating issue is presented as evidence of an effective program rather than discovered cold by the auditor.

About the author

Amelia Marie Biehler

Amelia Marie Biehler is Chief Compliance Officer at Ideal Alliance Corp. and former Chief Compliance Officer at Solis Health Plans, where she led enterprise compliance across Medicare, Medicaid, and CMS regulatory frameworks for more than four years. She is Cornell-trained in health care law and compliance systems and specializes in HIPAA privacy, AI in healthcare, internal audit, and risk management.

Connect with Amelia on LinkedIn