Maintaining Medicare Advantage Audit Readiness in 2026 and Beyond

Aiming for a comprehensive view of plans’ overall compliance, CMS this year is unleashing a host of changes to Medicare Advantage program audits. With the first batch of audit notices rolling out in March, is your organization prepared for what’s changing?

Combined, the changes will lead to “more conversational, collaborative audits with compliance at the table throughout the process” and increased attention on “findings, root cause and sustained correction,” says Wendy Edwards, area vice president of health plan services consulting with BluePeak Advisors. Sponsors will need to adjust their timelines, staffing and readiness plans accordingly, she stressed during a recent webinar.

What’s Changing in the 2026 Program Audits?

• Extended audit season, as engagement letters will be sent from February through August. The first batch of audit notices are expected to go out no later than March 2.
• Compliance program effectiveness (CPE) review will no longer take place as a separate audit event. Instead, CMS will evaluate CPE during interviews in the fieldwork phase of the audit.
• Utilization management is under scrutiny. CMS is looking to make sure MA enrollees can “access medically necessary services without excessive burden or delays,” per CMS’s 2024 final rule clarifying coverage criteria.
• Fewer condition categorizations. The number of audit conditions will be reduced from four to two, with the removal of the Immediate Corrective Action Required (ICAR) and Observation Requiring Corrective Action (ORCA) classifications. Instead, noncompliance will be categorized as either Corrective Action Required (CAR) or Observation. This offers sponsors more clarity around expectations.
• Elimination of scoring. CMS will no longer score audit findings, meaning no more “golf-style scoring tables,” said Edwards.

Although CPE is no longer a standalone program audit area, plans can expect CMS to discuss monitoring activities for the specific program areas of Formulary Administration (FA), Part C Organization Determinations, Appeals, and Grievances (ODAG), Part D Coverage Determinations, Appeals, and Grievances (CDAG) and, if applicable, Special Needs Plan Care Coordination (SNP-CC).

Compliance officers should be ready to have in-depth discussions about how the plan prevents, detects and corrects noncompliance in each program area. If noncompliance in any of the program areas is identified throughout the discussions, the plan’s compliance officer will need to follow up and ensure that it did not stem from a root cause.

It’s important to note that CMS will still collect some information from the current CPE protocol, including the Compliance Oversight Activities (COA) universe. BluePeak can review your COA universe and pre-audit issue summary to ensure that it is compliant and accurate.

CMS intends to share information about compliance issues found during the audits on quarterly compliance calls, the first of which will take place March 24.

“Maintaining a clear line of sight” to open Corrective Action Plans (CAPs) and being ready to explain how compliance partners with each program area will be critical, said Edwards. “Strong documentation will accelerate the responses when it comes to doing this fieldwork.”

What Can Compliance Officers Do Now to Prepare?

BluePeak recommends compliance officers stay on top of four key areas:

1. Know the audit elements in each program area. Do you understand how you oversee these even if that’s not your area?
2. Map your COA to the program area requirements. Can you identify compliance workplan activities within your COA that demonstrate oversight of key program area functions?
3. Prepare narratives for known risks, understanding what happened, monitoring what’s in place and providing a remediation. “These are conversations that feel like tracers, even though tracers won’t be used,” noted Edwards.
4. Understand operational monitoring. Are you familiar with the monitoring activities taking place within the respective program areas? Are they regularly reported to compliance?

Also knowing what’s ahead for 2027 will be helpful. CMS has already indicated it will pursue changes such as a one-year universe for the COA, a combined single questionnaire encompassing all compliance officer and First Tier, Downstream and Related Entities (FDR) questions. And while CMS said it intends to make the organization structure presentation optional, BluePeak recommends plans continue to compile these, as they come in handy during mock audits.

Looking ahead, plans should pay close attention to several compliance areas that were recently highlighted in the HHS-OIG’s Medicare Advantage Industry Segment-Specific Compliance Program Guidance. These include network adequacy, inappropriate care denials, marketing and enrollment oversight, and data accuracy.

There’s a lot shifting this year, and one thing is clear: With compliance now embedded into each program area, compliance officers need a simple, reliable way to oversee what’s in place, where the risks are, and how remediation is progressing across FA, CDAG, ODAG, and SNP-CC. That’s exactly why we created the Compliance Officer’s Toolkit™ featuring the 2026 Compliance Oversight Tracker™ — a pre-populated Excel tracker designed to give you clarity, structure, and a confident audit readiness narrative utilizing each audit protocol. It helps you document oversight activities, surface gaps early, track remediation, and speak clearly to CMS about operational activities and prevention, detection, and correction efforts on what is found.