Skip to main content

Protocol Reference · Part of the CMS Program Audit Guide

CPE and the COA Universe: The 2026 Reference

CPE (Compliance Program Effectiveness) tests whether the compliance program actually operates. Under the 2026 approach it runs as a discussion-based review during fieldwork, and the COA universe is the agenda for that conversation.

The 2026 Shift: A Discussion, Not a Silo

CMS's November 2025 Program Audit memo replaced the old standalone CPE session with a discussion-based review during fieldwork, a pilot we refer to as "Collaborating on Compliance" (our shorthand, not an official CMS program name). The format sounds friendlier. In practice it raises the bar: auditors expect the compliance officer to speak fluently about how the program detects, escalates, and corrects noncompliance, with the plan's own COA data on the table.

Auditors use the COA universe to map oversight activities to the operational areas being audited (if ODAG has timeliness findings, did COA show monitoring of coverage determinations?), to probe root causes of identified deficiencies, to evaluate whether oversight results reach the right stakeholders, and to assess balance across auditing, monitoring, and investigations, and across compliance and FWA focus areas.

The COA universe is still collected and still integrity-tested. What changed is what it gets used for: it stopped being a submission and became the script for the conversation.

The 12 COA Data Elements

ColumnFieldWhat CMS Looks For
AComponentDoes oversight map to the program areas CMS audits?
BActivity TypeBalance across Auditing, Monitoring, and Investigations
CCompliance or FWACoverage of both focus areas
DActivity FrequencyOngoing oversight versus one-time activities
EActivity RationaleEvidence of a risk-based approach
FActivity DescriptionEnough detail to carry a discussion
GActivity Start DateAlignment with the audit period
HActivity Completion DateEvidence activities were actually completed
INumber of DeficienciesFoundation for root cause discussion
JDescription of DeficienciesSpecifics for corrective planning
KCorrective Action RequiredEvidence of accountability and follow-through
LActivity Results SharedGovernance and communication of results

The Gaps That Undermine the Discussion

  • Activity type imbalance. Heavy auditing activity with minimal monitoring or investigations invites the question: how do you detect issues between audits?
  • Deficiencies without corrective actions. Closed activities with deficiencies identified and the corrective action field blank or "TBD" invite: what happened after you found this?
  • Results that never reach governance. Activity Results Shared consistently blank or "No" invites: how does leadership know what you are finding?
  • Component gaps. Operational areas with audit findings but no corresponding oversight activity in COA is the single most exposed position a compliance officer can be in during the discussion.
  • Data quality. Missing required fields, wrong date formats, hidden characters, and completion dates before start dates. IDS applies to COA the same as everywhere else.

Go Deeper

Frequently Asked Questions

What is the CPE protocol in a CMS Program Audit?

CPE (Compliance Program Effectiveness) evaluates whether the compliance program required by 42 CFR 422.503(b)(4)(vi) and 423.504(b)(4)(vi) actually operates: how the sponsor detects, escalates, and corrects noncompliance. It applies to all sponsors, not just those with particular products, and its universe is the Compliance Oversight Activities (COA) table.

What is the COA universe?

The COA (Compliance Oversight Activities) universe lists the sponsor’s auditing, monitoring, and investigation activities during the review period across 12 data elements, including the component covered, activity type, rationale, dates, deficiencies found, corrective actions required, and whether results were shared. It is the one universe the CPE protocol collects.

What changed for CPE in 2026?

CMS’s November 2025 Program Audit memo moved CPE out of its own session and into fieldwork as a discussion-based review, a pilot sometimes referred to as "Collaborating on Compliance" (Sevana’s shorthand, not an official CMS program name). The COA universe is still collected, and it now functions as the agenda for the discussion: auditors use it to map oversight to operational areas, probe root causes, and evaluate whether results reach governance.

Can a COA universe trigger an IDS finding?

Yes. The same data integrity testing applies: missing required fields, dates not in CCYY/MM/DD format, hidden characters from Excel copy-paste, and logical errors like completion dates before start dates can all invalidate the submission. IDS remained a standalone classification under the 2026 framework, so COA data quality carries the same stakes as every other universe.

Walk Into the CPE Discussion With Clean Data

The CMS Universe Scrubber validates all 12 COA fields against the CMS specification and surfaces the coverage and balance gaps auditors will ask about.