PCOOB Weekly — May 15, 2026
PCOOB Weekly — Issue 5 — May 15, 2026

The Audit Changed. Your Audit Readiness Program Probably Hasn’t.

CMS’s 2026 program audit redesign eliminates scoring, retires condition classifications, and embeds compliance into every fieldwork session. Plans prepared for the 2025 framework are prepared for an audit that no longer exists.

Compliance Program Governance / Audit Readiness / ODAG

Regulatory-Analysis-Led / Operational Fault Line

CMS (Tier 1), KFF (Tier 2)

Scroll to read
Editor’s Note

The system that told you how severe a finding was no longer operates.

Every year, MA plans update their audit preparation checklists. They review which conditions carried the most points, where they lost ground in previous audits, and what the ICAR findings told them about enforcement risk. For 2026, that process starts from the wrong premise.

CMS has structurally redesigned its program audit framework — not updated it. Audit scoring is eliminated. The four-tier condition classification system is replaced with three. Compliance program effectiveness is no longer evaluated separately from program area audits; it is now embedded directly into every domain review. And CMS has initiated quarterly compliance officer calls, creating a standing relationship with plan leadership that extends beyond the annual audit window.

For compliance officers, legal teams, and operations leaders preparing for 2026, the question is not what the new protocols say. It is whether your preparation infrastructure, your governance model, and your monitoring systems are built for what CMS is actually measuring — not for the framework it retired.

0
Audit Score in 2026
Conditions no longer carry points. No aggregate score is produced. The metric that structured audit preparation for years has been eliminated entirely.
16/18
2024 Violations With Aggravating Factor
Of 18 violations CMS found in 2024 audits across 14 sponsors, 16 carried aggravating penalty factors — signaling sustained, systemic noncompliance in plans with active compliance programs.
80%
MA Appeal Overturn Rate at Plan Level
MA plans overturn 80% of their own denials when members appeal at the plan level — a compliance signal, not just an operational metric, under the 2026 integrated CPE framework.
01
The Argument

The scoring model is gone. The conditions that drove preparation with it.

CMS’s 2026 Program Audit Annual Update removes the point-based scoring system that has structured audit preparation for years. Plans will no longer receive audit scores. Conditions will no longer carry point values. CMS has said it may consider alternative weighting methods in the future — which means the next cycle will also not have a stable scoring framework to prepare against.

2025 Classification System
2026 Classification System
Observation retired
kept Observation (no CAP required)
ORCA retired
new CAR — Corrective Action Required
CAR retired
new IDS — Invalid Data Submission
ICAR retired
— (no equivalent)

For plans that calibrated their audit exposure to point totals and condition tiers, this creates a preparation problem. The system that told you how severe a finding was, and how much risk mitigation effort that severity warranted, no longer operates. What replaces it is CMS’s qualitative assessment of whether noncompliance recurred, whether it had enrollee impact, and whether the plan’s compliance program would have detected and corrected it without external pressure. That is a different kind of evidence to produce — and a different discipline to maintain between audit cycles.

> CMS 2026 Program Audit Redesign — Structural Changes Summary

Six structural changes. One new standard of evidence.

> change_01
Audit scoring eliminated
Conditions no longer carry points. No aggregate audit score is produced. CMS may consider alternative weighting in future cycles.
> change_02
Four-tier classification retired
Observation, ORCA, CAR, and ICAR replaced by three: Observation (no CAP), CAR (remediation required), and IDS (invalid or incomplete data submission).
> change_03
CPE embedded in every program area
Compliance program effectiveness is evaluated inside ODAG, CDAG, FA, and other fieldwork — not separately. Compliance officers participate in domain fieldwork alongside operations leadership.
> change_04
Quarterly compliance officer calls established
CMS initiates standing quarterly educational calls with plan compliance officers — sharing findings, discussing best practices, and building a year-round regulatory relationship.
> change_05
Validation audit threshold changed
Independent auditors now required only when a plan has more than five conditions needing validation audit — vs. 2025’s broader threshold. Simple fixes may be validated directly by CMS.
> change_06
Engagement letter window: Feb–Aug 2026
Audit engagement letters will be issued February through August 2026. Fieldwork remains within a two-week window, with CPE integrated throughout.
Source: CMS 2026 Program Audit Annual Update. CMS.gov. Tier 1 primary source. Plans should review the audit submission checklist and user group Q&A resource available at cms.gov/medicare/audits-compliance/part-c-d/program-audits.
02 — The Scale

What the 2024 enforcement record tells us about where CMS was looking

CMS released its 2024 Part C and Part D Program Audit and Enforcement Report in July 2025. It covers 494 contracts — 87.6% of the total MA population — across 39 program audits of 36 parent organizations. Of the 39 audits, 19 were routine full-scope and 20 were focused. CMS imposed civil monetary penalties on 14 sponsors for 18 distinct violations. Of those 18 violations, 16 carried aggravating penalty factors.

The aggravating penalty rate is the signal. An aggravating factor typically indicates prolonged noncompliance, failure to correct after internal identification, or repeat violations in an organization that had compliance programs in place. Sixteen of 18 violations at that threshold suggests CMS was finding patterns of sustained noncompliance — not first-time, good-faith errors.

That is precisely what the 2026 CPE redesign is designed to change. When CMS fieldwork begins for ODAG, the compliance officer needs to demonstrate — not describe — how the compliance function monitors timeliness, identifies root causes, and has corrected past noncompliance. The 2024 enforcement record tells us that CMS has already been finding organizations where that integration was missing. The 2026 framework is designed to make the absence of that integration visible earlier in every audit.

The ODAG program area carries particular weight here. The 2024 enforcement report identified coverage request misclassification as a recurring finding. CMS’s own data — confirmed through KFF analysis — shows that MA plans overturn 80% of appeals at the plan level on reconsideration. Under integrated CPE review, that overturn rate will be visible to CMS during ODAG fieldwork as a compliance indicator, not just an operational metric in a separate report.

2024 Audits Completed
494
Contracts audited — 87.6% of the total MA population across 39 program audits of 36 parent organizations.
CMPs Imposed
14
Sponsors received civil monetary penalties for 18 distinct violations. 16 of 18 carried aggravating penalty factors.
MA Appeal Overturn Rate
80%
MA plans overturn 80% of appeals at the plan level. Under 2026 CPE integration, CMS will assess this rate as a compliance signal during ODAG fieldwork.

“The policy binder is not sufficient evidence. The monitoring log and the correction documentation are.”

PCOOB Weekly — May 15, 2026 — CMS 2026 Audit Framework Analysis
03 — The Response

Three things that change under the 2026 framework

Before Engagement Letter Arrives
01
Compliance is embedded in fieldwork, not adjacent to it
The 2026 CPE shift means compliance officers need to be operationally conversant in every program area they monitor. When CMS ODAG fieldwork begins, the compliance officer needs to speak to: how the organization monitors timeliness in real time, what root cause analysis produced after the last finding, and what systemic correction was implemented and verified. The policy binder is not sufficient evidence. The monitoring log and the correction documentation are. Plans that run compliance as a policy function separate from operations are not prepared for this format.
New for 2026: CPE evaluated during ODAG, CDAG, FA, and SNP-CC fieldwork
02
The IDS classification creates a new documentation obligation
Invalid Data Submission — new for 2026 — is triggered when a plan cannot provide accurate or complete universes or documentation during fieldwork. Universe submission quality has always been consequential, but the IDS classification gives CMS a distinct, named finding for documentation failures that is separate from a substantive compliance violation. Plans should conduct a pre-audit assessment of universe submission completeness and documentation integrity for each program area before engagement letters arrive. This is not a data cleanup task. It is a documentation integrity audit.
IDS: new named classification — no equivalent existed in 2025 framework
03
The quarterly compliance officer calls are a governance channel, not a check-in
CMS’s initiation of quarterly educational calls with plan compliance officers signals an expectation of ongoing engagement outside the audit window. Plans should treat these calls as a real-time channel for understanding where CMS’s audit focus is shifting — and as evidence, when the audit arrives, of active regulatory engagement. Plans that participate passively will miss what these calls are designed to surface: CMS’s current view of common compliance gaps and the operational patterns it expects compliance programs to be detecting. Plans that engage actively will arrive at fieldwork with a clearer picture of what CMS considers evidence of compliance integration — and more time to produce it.
New for 2026: Quarterly calls with CMS — not an annual-only audit relationship
Key Takeaways

Five things compliance and operations leaders should act on now

The 2026 audit redesign changes the evidence standard, the classification system, and the cadence of CMS engagement. Plans calibrated to 2025 need to re-map their readiness programs before engagement letters arrive.

Audit scoring is gone. Plans calibrating preparation to point totals are preparing for a framework that does not exist. The new standard is qualitative: did noncompliance recur, was there enrollee impact, and would the compliance program have caught it without CMS?

IDS is a new, named failure category. Invalid Data Submission applies when a plan cannot produce complete, accurate universes or documentation during fieldwork — distinct from a substantive compliance violation. Audit prep now includes a documentation integrity review.

The 2024 enforcement rate tells you what CMS was finding. 16 of 18 violations carried aggravating factors — sustained, systemic noncompliance in plans with active compliance programs. The 2026 CPE design is a direct response to that finding.

The 80% overturn rate is now a compliance indicator. Under integrated CPE review, CMS will see that rate during ODAG fieldwork — not after the fact. Plans with high overturn rates need a documented compliance response to the upstream determination process.

The quarterly compliance officer calls start the compliance relationship earlier. These are not passive briefings. They are CMS’s mechanism for signaling audit focus — and a plan’s mechanism for demonstrating proactive engagement with the regulatory process.

Open Threads

What to watch next

First 2026 audit cycle findings

Engagement letters issued Feb–Aug 2026. First fieldwork results under the new framework — particularly IDS classifications and CPE integration assessments — will clarify how CMS applies the new standards in practice.

Quarterly compliance officer call outcomes

The first round of CMS’s new quarterly compliance officer calls will surface where CMS is focusing audit attention in 2026. Any CMS publication of findings or best practices from these calls would be significant.

ODAG misclassification pattern under new framework

Coverage request misclassification was a recurring 2024 finding. Under integrated CPE review, the compliance function’s response to that pattern — documented monitoring, root cause analysis, systemic correction — will be evaluated directly during ODAG fieldwork.

Corrective action plan quality under CAR vs. ICAR

With ICAR eliminated, plans face CAR as the primary enforcement classification for substantive noncompliance. How CMS validates CAR remediation — and whether plans are producing higher-quality CAPs without the ICAR trigger — is worth tracking.

Sources
1
CMS 2026 Program Audit Annual Update
CMS.gov — cms.gov/medicare/audits-compliance/part-c-d/program-audits. Confirms: audit scoring eliminated; ICAR/ORCA retired; three-tier classification (Observation/CAR/IDS); CPE embedded in each program area; quarterly compliance officer calls; engagement letters Feb–Aug 2026; validation audit threshold revised (>5 conditions).
Tier 1 — CMS
2
CMS 2024 Part C and Part D Program Audit and Enforcement Report
cms.gov/files/document/2024-audit-and-enforcement-report.pdf. Issued July 15, 2025. 494 contracts audited (87.6% of Part C), 39 audits of 36 organizations, 14 sponsors received CMPs for 18 violations, 16 of 18 with aggravating penalty, coverage request misclassification as recurring finding.
Tier 1 — CMS
3
KFF analysis of CMS MA appeal data
kff.org/medicare. Confirms: MA plans overturn 80% of appeals at plan level on reconsideration; 80.7% partially or fully overturned in KFF analysis; low share of denied requests actually appealed.
Tier 2 — KFF
PCOOB Weekly
Namrata Giri
Healthcare payer compliance, strategy, and AI-enabled operations
PCOOB Weekly covers payer compliance, operations, oversight, and risk for U.S. health plan leaders. Independent analysis. No vendor affiliation. Every edition is factual, sourced, and perspective-led.
Follow on LinkedIn
© 2026 PCOOB Weekly. Independent analysis for U.S. health plan leaders.
All analysis is based on publicly available regulatory sources. This publication does not constitute legal, compliance, or financial advice.