The CPE COA Universe: Your Roadmap for CMS's New 'Collaborating on Compliance' Approach
Sevana Health Team
December 16, 2025
Three weeks ago, we covered the major changes coming to CMS program audits in 2026βthe elimination of ICAR/ORCA, the new Observation/CAR/IDS framework, and the shift to "Collaborating on Compliance" for CPE reviews.
The response from compliance teams has been mostly positive. No more scrambling to submit a corrective action plan within three business days. No more treating CPE as an isolated audit silo.
But there's one detail that deserves more attention: The Compliance Oversight Activities (COA) universe isn't going away.
In fact, under the new collaborative model, your COA data becomes the foundation for every discussion you'll have with CMS auditors about how your compliance program actually works.
The COA Universe Under "Collaborating on Compliance"
"CMS will still need to collect some information from the current CPE protocol, including the Compliance Oversight Activities (COA) universe. This information will only be used to help CMS and the Sponsor's compliance team identify why noncompliance may have occurred and what can be done to prevent it in the future."
β CMS November 2025 Memo
Under the old model, CPE was somewhat isolated. Submit your COA universe, have your CPE fieldwork week, move on.
Under the new model, CMS auditors will use your COA data to:
Map your oversight to operational areas β When reviewing ODAG timeliness issues, did your COA show monitoring activities for coverage determinations?
Discuss root causes β If deficiencies were found, what does your COA show about how they were identified and corrected?
Evaluate compliance integration β Are oversight results being shared with the right stakeholders? Is there evidence of follow-through?
Assess program balance β Do you have appropriate coverage across Auditing, Monitoring, and Investigations? Across Compliance and FWA focus areas?
Your COA universe is no longer a compliance checkbox. It's the roadmap for your collaborative discussions with CMS.
The 12 COA Data Elements: Why Each One Matters Now
| Column | Field | What CMS Will Look For |
|---|---|---|
| A | Component | Does oversight map to audited program areas? |
| B | Activity Type | Balance across Auditing, Monitoring, Investigations |
| C | Compliance or FWA | Dual focus coverage |
| D | Activity Frequency | Ongoing oversight vs. one-time activities |
| E | Activity Rationale | Evidence of risk-based approach |
| F | Activity Description | Sufficient detail for collaborative discussion |
| G | Activity Start Date | Alignment with audit period |
| H | Activity Completion Date | Evidence activities were actually completed |
| I | Number of Deficiencies | Foundation for root cause discussions |
| J | Description of Deficiencies | Specifics for corrective planning |
| K | Corrective Action Required | Evidence of accountability |
| L | Activity Results Shared | Governance and communication |
IDS: The Risk That Didn't Change
With ICAR and ORCA eliminated, some teams may be feeling relief. But here's the reality check:
IDS (Invalid Data Submission) findings remain unchanged.
CMS will continue applying IDS classification "when a universe is deemed inaccurate or invalid and CMS cannot determine compliance with requirements as a result."
Translation: Data quality is now your primary failure mode.
What Triggers IDS for COA
| Issue | Example | Result |
|---|---|---|
| Missing required fields | Empty Component column | File Rejected |
| Invalid date format | "12/15/2025" instead of "2025/12/15" | File Rejected |
| Hidden characters | Tab or line feed from Excel copy-paste | File Rejected |
| Whitespace issues | "Auditing " (trailing space) | Data mismatch during audit |
| Logical errors | Completion date before start date | Audit finding |
A single IDS error can invalidate your entire universe submission. With engagement letters starting February 2026, there's limited time for resubmission.
Common COA Gaps That Undermine Collaborative Discussions
Based on our experience helping plans prepare universe files, here are the patterns that create problems:
1. Activity Type Imbalance
Plans often show heavy Auditing activity but minimal Monitoring or Investigations. Under the new model, CMS will ask: "How do you detect issues between audits?"
What good looks like: Balanced distribution across all three activity types, with monitoring activities tied to key operational areas.
2. Deficiencies Without Corrective Actions
COA shows deficiencies identified, but Corrective Action Required is blank or "TBD" for closed activities. CMS will ask: "What happened after you found this issue?"
What good looks like: Clear linkage between identified deficiencies and documented corrective actions.
3. Results Not Shared
Activity Results Shared consistently shows "No" or is blank. CMS will ask: "How does leadership know what you're finding?"
What good looks like: Documented evidence of results communication to appropriate governance bodies.
4. Component Gaps
Oversight activities don't map to all operational areas CMS audits. If ODAG has findings but COA shows no monitoring of coverage determinations, that's a problem.
What good looks like: Oversight activities aligned with each program area in your audit scope.
Building COA Analytics for the New Reality
CMS wants to understand the effectiveness of your compliance programβnot just that it exists. This requires analytics capabilities:
Deficiency Analysis
- β’Deficiency rates by component
- β’Trends over time
- β’Comparison across activity types
Activity Coverage
- β’Distribution across Auditing/Monitoring/Investigations
- β’Coverage by program area
- β’Frequency patterns
Corrective Action Tracking
- β’Open vs. closed actions
- β’Time to resolution
- β’Recurrence rates
Results Sharing Metrics
- β’Sharing rates by component
- β’Governance reporting patterns
These aren't just nice-to-have dashboards. They're the evidence you'll discuss with CMS auditors under the new collaborative approach.
How Universe Scrubber Prepares Your COA
Pre-Submission Validation
- βValidates all 12 COA fields against CMS specifications
- βDetects IDS-triggering issues before submission
- βChecks date formats (CCYY/MM/DD), required fields, allowed values
Data Quality Detection
- βIdentifies leading/trailing spaces that cause data mismatches
- βDetects hidden characters (tabs, line feeds, carriage returns)
- βFlags Excel formatting issues that corrupt date fields
Compliance Analytics Dashboard
- βDeficiency rates by component, activity type, focus area
- βComponent performance and activity coverage
- βActivity distribution across Auditing, Monitoring, Investigations
Audit-Ready Reporting
- βExecutive dashboards for board presentations
- βDetailed deficiency reports for collaborative discussions
- βPDF and Excel exports
Preparing for February 2026
With engagement letters starting in just a few months, here's your action plan:
Immediate (December-January)
- 1. Validate existing COA data β Run through Universe Scrubber to identify IDS-triggering issues
- 2. Review activity coverage β Do you have oversight mapped to all audited program areas?
- 3. Check activity balance β Is there appropriate distribution across Auditing, Monitoring, Investigations?
Before Engagement Letter
- 4. Close corrective action gaps β Any open items from identified deficiencies?
- 5. Document results sharing β Evidence of governance communication?
- 6. Build analytics capabilities β Can you demonstrate program effectiveness?
Ongoing
- 7. Integrate COA with operational oversight β Align your data with how CMS will now evaluate CPE
- 8. Prepare for collaborative discussions β Your COA should tell a complete story
The Bottom Line
The 2026 audit changes are largely positive for compliance teams. But the shift to "Collaborating on Compliance" raises the stakes for your COA data.
Your COA universe is no longer just a submission. It's the foundation for demonstrating how your compliance program prevents, detects, and corrects noncompliance across every program area.
IDS findings remain your primary risk. Data quality issues that would have been one finding among many are now potential deal-breakers.
Don't Let Data Quality Undermine Your Collaborative Position with CMS
Universe Scrubber validates your COA files against CMS specifications, catches IDS-triggering errors before submission, and provides the analytics you need for collaborative audit discussions.
Sources
- β’ CMS 2026 Program Audit Updates Memo (November 20, 2025)
- β’ CMS Program Audits Website: cms.gov/medicare/audits-compliance/part-c-d/program-audits