The 2026 CMS Program Audit season is underway, and early signals are reinforcing a clear theme: expectations around compliance oversight, operational integration, and data integrity continue to rise. While many requirements are familiar, audit activity suggests CMS is sharpening its focus on how plans demonstrate, not just document, effective compliance in practice.
Compliance
- The much-anticipated compliance changes are now in effect, with interviews placing a strong emphasis on demonstrated oversight and effective collaboration between compliance and operations teams.
- Compliance Officers should be well versed in all Pre-Audit Issue Summary items submitted and be prepared to clearly articulate the Compliance team’s role in overseeing corrective actions and system-related fixes. Auditors are continuing to place particular focus on compliance oversight of the utilization management program, reinforcing expectations around active monitoring and accountability.
- In addition, several discrete areas are receiving heightened scrutiny, including the accuracy and defensibility of universe generation and validation processes, the timely and appropriate auto-forwarding of cases to the Independent Review Entity (IRE), and alignment with the Office of Inspector General’s Medicare Advantage compliance program guidance.
Special Needs Plans (SNPs)
- CMS is applying more granular, scenario‑based review in SNP program areas, with particular attention to compliance oversight of Model of Care implementation and operational execution. Auditors are increasingly focused on whether Compliance has visibility into and actively monitors SNP‑specific requirements, including timely HRAs, individualized care planning, interdisciplinary care team engagement, transitions of care, and coordination with Medicaid or LTSS partners for D‑SNPs.
- Early audit observations indicate CMS expects Compliance to demonstrate active, structured oversight of SNP care management operations, not just the existence of policies, including clearly defined processes for identifying, tracking, and escalating SNP‑specific risks. CMS is also looking for evidence that SNP operational outcomes (such as HRAs, ICP timeliness, TOC notifications, and ICT participation) are consistently monitored and formally tied to compliance reporting, issue tracking, quality outcomes tracking and remediation governance.
Organizational Determinations, Appeals and Grievances
- As indicated in the compliance area, CMS is clinically focused on UM and particularly in oversight from Compliance and the Medical Director. CMS continues rigorous clinical review and focused on denials for medical necessity.
Formulary Administration
- CMS continues to scrutinize inappropriate claims rejections, and issues arising from eligibility and enrollment issues.
Coverage Determinations, Appeals and Grievances
- Misclassification of coverage requests continues to be an issue targeted by CMS. Untimely notification and incorrect or incomplete notifications are also scrutinized.
Universes
- Universe development is emerging as a clear compliance‑owned risk, with CMS repeatedly assessing whether Compliance can demonstrate structured oversight of universe logic, validation, and reconciliation across internal and delegated operations. Plans should ensure operational teams are aligned to these controls, including advance identification of delegate universe contributors and readiness to combine subcontractor data accurately and consistently.
What Plans Should Do Now?
- Ensure Compliance leadership can confidently speak to Pre-Audit Issue Summary submissions, including status, root cause, and oversight of remediation efforts.
- Validate that utilization management oversight activities are well documented, consistently executed, and clearly tied to compliance monitoring and reporting.
- Ensure the Medical Director and UM staff are clear on their roles and can speak to them.
- Confirm Compliance has visibility into SNP‑specific care management workflows, including HRAs, ICP development and updates, ICT engagement, and transitions of care, and can articulate how oversight is maintained in practice, not just through policy documentation.
- Reconfirm the integrity of universe generation and validation processes, with clear audit trails and documented quality checks.
- In addition to running universes monthly, obtain universes from your delegates and practice combining them.
- Review IRE auto-forwarding logic and controls to ensure accuracy, timeliness, and consistency with regulatory expectations.
- Assess alignment with OIG Medicare Advantage compliance guidance, including evidence of ongoing monitoring and program effectiveness.
As audit activity continues, early observations point to a consistent expectation from CMS that compliance ownership and active oversight must be clearly demonstrated. Plans should be able to show how monitoring activities connect to operational outcomes, supported by data, documentation, and cross-functional alignment. Now is the time to validate these connections, address any gaps, and ensure teams are prepared to speak to them confidently during audit.
