Protocol Reference · Part of the CMS Program Audit Guide
CPE and the COA Universe: The 2026 Reference
CPE (Compliance Program Effectiveness) tests whether the compliance program actually operates. Under the 2026 approach it runs as a discussion-based review during fieldwork, and the COA universe is the agenda for that conversation.
The 2026 Shift: A Discussion, Not a Silo
CMS's November 2025 Program Audit memo replaced the old standalone CPE session with a discussion-based review during fieldwork, a pilot we refer to as "Collaborating on Compliance" (our shorthand, not an official CMS program name). The format sounds friendlier. In practice it raises the bar: auditors expect the compliance officer to speak fluently about how the program detects, escalates, and corrects noncompliance, with the plan's own COA data on the table.
Auditors use the COA universe to map oversight activities to the operational areas being audited (if ODAG has timeliness findings, did COA show monitoring of coverage determinations?), to probe root causes of identified deficiencies, to evaluate whether oversight results reach the right stakeholders, and to assess balance across auditing, monitoring, and investigations, and across compliance and FWA focus areas.
The COA universe is still collected and still integrity-tested. What changed is what it gets used for: it stopped being a submission and became the script for the conversation.
The 12 COA Data Elements
| Column | Field | What CMS Looks For |
|---|---|---|
| A | Component | Does oversight map to the program areas CMS audits? |
| B | Activity Type | Balance across Auditing, Monitoring, and Investigations |
| C | Compliance or FWA | Coverage of both focus areas |
| D | Activity Frequency | Ongoing oversight versus one-time activities |
| E | Activity Rationale | Evidence of a risk-based approach |
| F | Activity Description | Enough detail to carry a discussion |
| G | Activity Start Date | Alignment with the audit period |
| H | Activity Completion Date | Evidence activities were actually completed |
| I | Number of Deficiencies | Foundation for root cause discussion |
| J | Description of Deficiencies | Specifics for corrective planning |
| K | Corrective Action Required | Evidence of accountability and follow-through |
| L | Activity Results Shared | Governance and communication of results |
The Gaps That Undermine the Discussion
- •Activity type imbalance. Heavy auditing activity with minimal monitoring or investigations invites the question: how do you detect issues between audits?
- •Deficiencies without corrective actions. Closed activities with deficiencies identified and the corrective action field blank or "TBD" invite: what happened after you found this?
- •Results that never reach governance. Activity Results Shared consistently blank or "No" invites: how does leadership know what you are finding?
- •Component gaps. Operational areas with audit findings but no corresponding oversight activity in COA is the single most exposed position a compliance officer can be in during the discussion.
- •Data quality. Missing required fields, wrong date formats, hidden characters, and completion dates before start dates. IDS applies to COA the same as everywhere else.
Go Deeper
- •The full CPE COA universe guide covers the 12 elements, the analytics that support the discussion, and a preparation sequence.
- •What changed in the 2026 framework covers the retirement of scoring and ICAR/ORCA alongside the CPE shift.
- •The Friday afternoon HPMS memo covers the guidance-to-implementation evidence trail that the discussion-based review probes.
Frequently Asked Questions
What is the CPE protocol in a CMS Program Audit?
CPE (Compliance Program Effectiveness) evaluates whether the compliance program required by 42 CFR 422.503(b)(4)(vi) and 423.504(b)(4)(vi) actually operates: how the sponsor detects, escalates, and corrects noncompliance. It applies to all sponsors, not just those with particular products, and its universe is the Compliance Oversight Activities (COA) table.
What is the COA universe?
The COA (Compliance Oversight Activities) universe lists the sponsor’s auditing, monitoring, and investigation activities during the review period across 12 data elements, including the component covered, activity type, rationale, dates, deficiencies found, corrective actions required, and whether results were shared. It is the one universe the CPE protocol collects.
What changed for CPE in 2026?
CMS’s November 2025 Program Audit memo moved CPE out of its own session and into fieldwork as a discussion-based review, a pilot sometimes referred to as "Collaborating on Compliance" (Sevana’s shorthand, not an official CMS program name). The COA universe is still collected, and it now functions as the agenda for the discussion: auditors use it to map oversight to operational areas, probe root causes, and evaluate whether results reach governance.
Can a COA universe trigger an IDS finding?
Yes. The same data integrity testing applies: missing required fields, dates not in CCYY/MM/DD format, hidden characters from Excel copy-paste, and logical errors like completion dates before start dates can all invalidate the submission. IDS remained a standalone classification under the 2026 framework, so COA data quality carries the same stakes as every other universe.
Walk Into the CPE Discussion With Clean Data
The CMS Universe Scrubber validates all 12 COA fields against the CMS specification and surfaces the coverage and balance gaps auditors will ask about.