Practitioner Guide · Updated for the 2026 framework
The CMS Program Audit: A Complete Guide for Medicare Advantage Plans
What a program audit actually tests, how the 2026 framework changed the rules, what each of the five protocols demands, and where plans win or lose. Written by people who validate audit universes for a living, with deep-dive guides linked throughout.
What Is a CMS Program Audit?
A CMS Program Audit is the agency's most direct look at how a Medicare Advantage or Part D sponsor actually operates. It is not a document review. CMS pulls universes, structured data files listing the plan's real cases, then samples from them and traces how individual members were handled: the denied authorization, the late appeal, the rejected claim at the pharmacy counter, the health risk assessment that never happened.
CMS selects sponsors for routine program audits each year, and any sponsor can be audited for cause. The practical implication is the same either way: the audit tests the data your operations generate every day, which means audit readiness is an operating condition, not a project you start when the letter arrives. For a broader view of how program audits fit into CMS's oversight toolkit alongside compliance and enforcement actions, see how CMS ensures Medicare Advantage compliance.
The 2026 Framework: CAR, Observation, and IDS
CMS's November 2025 Program Audit memo retired the audit scoring system and the ICAR/ORCA classifications that had been in place since 2012. Findings now fall into three classifications:
CAR
Corrective Action Required
A finding of noncompliance that requires a corrective action plan and follow-up validation.
Observation
No CAP required
A finding that does not require a corrective action plan but should be monitored to ensure ongoing compliance.
IDS
Invalid Data Submission
Cited when a sponsor cannot produce an accurate, complete universe. Data quality is now a standalone failure mode.
The second structural change is to CPE. Compliance Program Effectiveness moved out of its own session and into fieldwork as a discussion-based review, a pilot sometimes referred to as "Collaborating on Compliance." That sounds friendlier than the old format. In practice it raises the bar, because auditors now expect the compliance officer to talk fluently about how the program detects, escalates, and corrects noncompliance, with the COA universe as the agenda.
Full breakdown: what changed in the 2026 CMS Program Audit framework.
The Program Audit Lifecycle
Engagement letter
The audit formally begins when the engagement letter arrives. The clock starts immediately: universe production, team mobilization, and delegate notification all run from this date.
Universe production: 15 business days
The sponsor produces the universes each protocol requires, and several supplemental questionnaires land even sooner, due five business days from the engagement letter. Submission attempts are limited, and universes that are still inaccurate or incomplete after three attempts can be cited as IDS. This window is where audits are most often lost.
Fieldwork
Roughly two weeks of webinars in which auditors walk samples from the universes with the plan's operational teams, and, under the 2026 approach, hold the discussion-based CPE review.
Findings and classification
CMS issues its report with conditions classified as CAR, Observation, or IDS.
Corrective action and validation
CARs require corrective action plans, and CMS validates that the fixes actually resolved the underlying issue before the audit truly closes.
For a day-by-day view of the first month, read the 30-day playbook for the 2026 audit cycle, written by a former MA Chief Compliance Officer who has lived through multiple cycles.
The Five Program Audit Protocols
Each protocol defines the universes a sponsor must produce and the tests auditors run against them. CMS publishes the field-level record layout specs via OMB-approved form CMS-10717; Sevana's platform translates those specs into 1,600+ discrete validation rules.
ODAG
Part COrganization Determinations, Appeals, and Grievances
Structure. Five tables: Organization Determinations (OD), Reconsiderations (RECON), Payment Determinations (PYMT_C), Effectuations (EFF_C), and Grievances (GRV_C).
Covers how the plan handles Part C requests for services and payment, appeals of denials, and member complaints. The recurring failure modes are timeliness measured from the wrong receipt date, effectuations that cannot be traced back to the overturned decision, and grievances misclassified as inquiries.
Read the full ODAG universe guideCDAG
Part DCoverage Determinations, Appeals, and Grievances
Structure. Six tables: Coverage Determinations (CD), Exception Requests (CDER), Payment Determinations (PYMT_D), Redeterminations (RD), Effectuations (EFF_D), and Grievances (GRV_D).
The Part D counterpart to ODAG, with tighter clocks and one structural trap: exception requests live in their own table (CDER), separate from standard coverage determinations. Plans that merge them, or that measure decision timeliness from the wrong start point, produce universes that fail validation.
Read the full CDAG universe guideFA
Part DFormulary Administration
Structure. Three routinely submitted tables: Rejected Claims Formulary (RCFA), Rejected Claims Transition (RCT), and New Enrollees (NE). A fourth table, Prescription Drug Event (PDE) data, is collected only when CMS instructs the sponsor to submit it.
Tests whether the formulary the plan administers at the pharmacy counter matches the formulary CMS approved: rejected claims, transition fills, and new enrollee protections. Most of the pain lives in the PBM handoff, because the plan is accountable for data its delegate generates.
Read the full FA universe guideSNPCC
SNPsSpecial Needs Plans Care Coordination
Structure. One universe table, SNP Enrollees (SNPE), plus two supplemental submissions: approved Models of Care (the SNP team lead identifies which to submit) and the SNPCC Questionnaire.
Applies to Special Needs Plans and centers on health risk assessments and individualized care plans. The classic error is measuring annual HRA timeliness from the enrollment date instead of the prior HRA, which makes late members look on time until auditors pull the case files.
Read the full SNPCC compliance guideCPE
All sponsorsCompliance Program Effectiveness
Structure. One universe: Compliance Oversight Activities (COA).
Evaluates whether the compliance program required by 42 CFR 422.503(b)(4)(vi) and 423.504(b)(4)(vi) actually operates. Under the 2026 approach, CPE moved into fieldwork as a discussion-based review, so the COA universe becomes the agenda for a conversation about how the plan detects, escalates, and corrects noncompliance.
Read the full CPE COA universe guideIDS: The Failure Mode That Survived the Reset
Scoring is gone and ICAR/ORCA are retired, but Invalid Data Submission remains, and it is now the cleanest, most visible signal an audit produces. An IDS finding says the plan could not tell CMS what happened to its own members, and no operational excellence elsewhere offsets it. Because universes feed every protocol, one team's data problem becomes the whole audit's problem.
The mechanics that trigger IDS are unglamorous: header rows that do not match the record layout, dates in the wrong format, timeliness measured from the wrong starting point, missing cases, and universes that disagree with the case files behind them. All of it is detectable before submission, which is the job of universe scrubbing software.
Deep dive: Invalid Data Submission in 2026.
Beyond the Universes: The Evidence Expectation
A discussion-based CPE review changes what preparation means. Auditors are no longer just checking that policies exist. They are asking the plan to demonstrate how its compliance program operates: how new CMS guidance moves from receipt to implementation, how issues get escalated and corrected, and how delegated entities are verified rather than trusted.
That makes the everyday record the audit asset. A plan that can show, in one place, how a specific HPMS memo was reviewed, which policies it touched, who owned the response, and when it closed has a very different fieldwork conversation than a plan reconstructing that story from email. We wrote about that problem in the Friday afternoon HPMS memo.
How Plans Prepare
The plans that come out of fieldwork clean treat readiness as a standing condition: universes generated and validated on a schedule, not assembled for the first time inside the 15-day window; delegates tested before CMS tests them; and a CPE story that is told from operating records rather than written for the occasion. Start here:
- •CMS audit preparation guide covering universe validation, documentation, and during-audit response.
- •The free Universe Header Check tool validates your file headers against the current CMS spec in your browser.
- •The printable CMS compliance checklist for a quick self-assessment across submission, documentation, and program operations.
- •How the Sevana platform supports audit readiness, from universe validation through CAP tracking.
Primary Sources
This guide summarizes CMS's own audit materials. Go to the source for the authoritative detail:
- •CMS Program Audits hub, including protocols, record layouts, and audit-related HPMS memos.
- •Program Audit Process Overview (PDF), CMS's description of the audit lifecycle.
- •Audit Submission Checklist (PDF), the per-protocol list of required universes, questionnaires, and documentation with due dates.
Frequently Asked Questions
What is a CMS Program Audit?
A CMS Program Audit is a formal evaluation of how a Medicare Advantage or Part D sponsor operates against CMS requirements. Instead of reviewing policies on paper, CMS pulls universes, which are structured data files of the plan’s actual cases, samples from them, and tests how real members were handled across appeals, grievances, formulary administration, care coordination, and compliance program operations.
What are the five CMS Program Audit protocols?
The five protocols are ODAG (Part C Organization Determinations, Appeals, and Grievances), CDAG (Part D Coverage Determinations, Appeals, and Grievances), FA (Formulary Administration), SNPCC (Special Needs Plans Care Coordination), and CPE (Compliance Program Effectiveness). Each protocol defines the universes a sponsor must produce and the tests auditors run against them.
What are CAR, Observation, and IDS?
They are the three audit classifications CMS uses starting in 2026, replacing the retired scoring system and ICAR/ORCA categories. CAR (Corrective Action Required) is a finding of noncompliance that requires a corrective action plan. An Observation is a finding that does not require a CAP but should be monitored. IDS (Invalid Data Submission) is cited when a sponsor cannot produce an accurate and complete universe, and it functions as a standalone failure mode for data quality.
How long does a plan have to produce audit universes?
The universe production window is 15 business days from the engagement letter. Sponsors get a limited number of submission attempts per universe; files that are still inaccurate or incomplete after three attempts can be cited as an Invalid Data Submission, so plans that first assemble their universes during the audit window are already behind.
What happens after a CMS Program Audit?
CMS issues a report classifying its findings. Conditions classified as CAR require the sponsor to develop and implement a corrective action plan, and CMS validates that the corrective actions actually resolved the issue. Observations do not require a CAP but are expected to be addressed through routine monitoring. Audit results also shape how CMS views the sponsor’s compliance program going forward.
Validate Your Universes Before CMS Does
The CMS Universe Scrubber runs 1,600+ validation rules across ODAG, CDAG, FA, SNPCC, and CPE files, so the errors that become IDS findings get caught before submission.