CMS no longer audits in seasons. With compliance now embedded in every program area and reviews running year-round, audit readiness has to be a permanent state, not an annual project. Here is what that takes, in operational detail.

For years, Medicare Advantage compliance teams organized the calendar around a familiar rhythm. Prepare for a possible program audit. Brace for a possible RADV selection. Then exhale until next year. That rhythm is gone.

In 2026, CMS effectively moved to continuous oversight. On the operational side, it folded compliance review into every program area it examines. On risk adjustment, it now audits every eligible contract rather than a small sample and launches new RADV reviews roughly every quarter. The regulator has changed its clock. The plans that stay out of trouble are the ones that stopped treating the audit as an event and started treating audit readiness as a permanent state.

So what does that actually look like inside a health plan? Not the brochure version. The week-to-week operational reality. That is what this piece breaks down.

The Shift

From “audit season” to “always audit season”

How the compliance calendar changed

The old rhythm

Audit as an event

• Prepare for a possible program audit
• Brace for a possible RADV selection
• Exhale until next year
• A knowable window to prepare against

The 2026 reality

Audit readiness as a permanent state

• Compliance embedded in every program area
• Every eligible contract reviewed, year-round
• New RADV reviews roughly every quarter
• No window left to prepare against

Two distinct CMS audit programs changed at once, and it pays to keep them straight, because plans that blur them prepare for the wrong thing.

The first is the program audit, and it is where most of an MA plan’s year-round exposure now lives. The 2026 protocol removed audit scoring, retired the standalone Compliance Program Effectiveness review, and embedded compliance evaluation directly into each program area: Formulary Administration, Part C organization determinations, appeals and grievances (ODAG), Part D coverage determinations, appeals and grievances (CDAG), and, where applicable, Special Needs Plan care coordination. CMS also added a Part C utilization management focus that requires plans to report their internal coverage criteria and the entities or vendors that developed them. Add a six-week notice window, universes due about three weeks before the start date, and harsher penalties for inaccurate universes, and the operational burden is now effectively year-round.

The second is RADV, a separate program focused on risk-adjustment documentation. CMS expanded it from roughly 60 plans a year to all eligible contracts, about 550 of them, with variable samples of 35 to 200 enrollees and findings extrapolated across the full contract population. PY 2020 audits began in February 2026, on a roughly quarterly cadence. It is worth naming because it adds to the same continuous burden, but it is a different track with different mechanics, and the operational detail in this piece centers on the program audit.

Two programs, one continuous clock

Where most year-round exposure lives

The Program Audit

Focus

Compliance evaluated inside each program area: FA, ODAG, CDAG, and SNP care coordination where applicable

2026 changes

Audit scoring removed; standalone Compliance Program Effectiveness review retired; new Part C utilization management focus

Notice window

~6 weeks; universes due ~3 weeks before the start date

Penalty shift

Harsher penalties for inaccurate or late universes

A separate track, same burden

RADV

Focus

Risk-adjustment documentation

Scope

Expanded from ~60 plans a year to all eligible contracts (~550)

Sample

35 to 200 enrollees; findings extrapolated across the full contract population

Cadence

PY 2020 audits began February 2026, roughly quarterly

The Definition

What “continuous internal audit” means (and what it does not)

The phrase gets used loosely, so let us be precise. A continuous internal audit is a standing operational capability that monitors the same universes, documentation and decisions CMS will examine, on the same cadence the regulator now uses, so issues surface and get corrected before they become findings.

It is worth naming what it is not:

The defining feature is cadence. If CMS reviews on a rolling, quarterly basis and you review once a year, you are structurally behind no matter how good your annual review is. The Operating Layer

---

The Operating Layers

What it actually looks like, week to week

A mature continuous internal audit runs across six interlocking layers. Each maps to something CMS now examines on its own clock.

The six interlocking layers

1

Submission-ready universes

ODAG, CDAG, FA and SNP-CC universes generated, validated and reconciled on a standing schedule — not reconstructed under deadline.

2

Documented coverage criteria

Internal coverage criteria and the entities that developed them, version-controlled and tied to the decisions they govern.

3

Near-real-time decision review

Timeliness, clinical decision-making and effectuation in ODAG and CDAG monitored on rolling samples, not just at year-end.

4

Root-cause routing

Every flagged exception traced to a process, vendor or system origin — not just logged on a scorecard.

5

Delegate & FDR oversight

Delegated entities and FDRs held to the plan’s own standard, on the plan’s own cadence.

6

Living evidence & CAPs

Corrective action plans tracked to closure continuously, with evidence assembled as work happens.

1. Universes stay submission-ready, not reconstructed under deadline

CMS now sends an audit notice about six weeks out, with universes due roughly three weeks before the start date, and it penalizes inaccurate or late universes more harshly than before. A plan that only assembles ODAG, CDAG, FA and SNP-CC universes when the notice lands is already behind on day one. In a continuous model, those universes are generated, validated against current table specifications and reconciled on a standing schedule, so the audit notice triggers a review rather than a fire drill.

2. Internal coverage criteria and utilization management are documented and inventoried

The new Part C utilization management focus expects plans to show their internal coverage criteria for CMS-targeted services and to identify the entities or vendors that developed them. That is not a document you can produce on six weeks’ notice if nobody has been maintaining it. In a continuous model, the coverage-criteria inventory is version-controlled as criteria change, tied to the medical-necessity decisions it governs, and ready to walk an auditor through on demand rather than assembled in a panic during the audit webinar.

3. Operational decisions are reviewed in near real time

Timeliness, clinical decision-making and effectuation in ODAG and CDAG are monitored on rolling samples, not just at year-end. Because compliance is now evaluated inside each program area, a plan that watches these decisions as they happen can answer CMS in real time and correct drift before it accumulates into a pattern worth a finding.

4. Issues are routed to root cause, not just logged

This is the part most teams underbuild. Because compliance is now embedded in each program area, a single timeliness miss is no longer a number on a scorecard. It is the start of a “why did this happen” conversation that CMS may have with your compliance officer in the moment. Continuous root-cause analysis, where every flagged exception is traced to a process, vendor or system origin, replaces the year-end scramble to explain trends nobody was watching.

5. Delegated and FDR oversight runs on the same clock

Many of the decisions inside your universes were made by delegated entities and first-tier, downstream and related entities. A continuous internal audit holds their data and decisions to the plan’s own standard on the plan’s own cadence, rather than discovering a delegate’s timeliness problem only when it shows up in a CMS sample.

6. Evidence and corrective actions are living

Corrective action plans are tracked to closure continuously, with evidence assembled as work happens rather than recreated months later. When an auditor asks for proof, the answer is a current record, not an archaeology project.

---

The Operating Rhythm

A defined cadence, matched to risk

Continuous does not mean “everything, constantly.” It means a defined cadence matched to risk. A practical rhythm looks like this:

Daily

Exception monitoring on timeliness and effectuation; alerts on universe data anomalies.

Weekly

Rolling sample review across active program areas; new exceptions routed to root-cause owners.

Monthly

Program-area deep dive (FA, ODAG, CDAG, SNP-CC); internal coverage criteria review; delegate and FDR scorecards.

Quarterly

Full mock against the current CMS protocol, timed to the regulator’s own roughly quarterly audit cadence; CAP closure review.

---

The Annual Mock Problem

Why the annual mock audit no longer protects you

The annual mock audit was built for a world with a knowable audit window. You hired a firm, they ran a two-week simulation, you fixed what they found, and you were reasonably covered until the next cycle. CMS removed the window. It now audits all eligible contracts and starts new reviews every few months.

In that environment, a single yearly snapshot has two structural problems. First, it goes stale almost immediately, because a universe that was clean in the spring can drift by summer. Second, it measures against a protocol that is itself changing, with CMS already circulating proposed 2027 adjustments to ODAG and Formulary tables and a blended oversight questionnaire. A continuous function absorbs those changes as they land. A once-a-year review codifies last year’s protocol and calls it readiness.

None of this makes external reviews worthless. It reframes them. The smartest plans use point-in-time assessments as calibration checks against a continuous engine, not as the engine.

---

The Maturity Path

Where to start

No plan stands up full continuous auditing overnight. It helps to know which stage you are in and what the next step looks like.

A continuous-audit maturity path

Stage 1

Reactive

You respond when CMS or a delegate flags something. You learn about problems from the people empowered to penalize them.

Risk: highest

Stage 2

Periodic

You run scheduled internal reviews, often annually. Better, but still a snapshot against a moving regulator.

Risk: high

Stage 3

Continuous monitoring

Universes, samples and documentation validated on a standing cadence, with exceptions routed to root cause as they occur.

Risk: managed

Stage 4

Predictive

Pattern analysis surfaces emerging risk before it becomes a miss, and oversight extends across delegates and FDRs on the same clock.

Risk: lowest

The practical first move is narrow and concrete: pick your highest-risk program area, the one most likely to draw a CMS question or generate a member complaint, and stand up continuous universe validation and exception routing there first. Prove the model in one area, then extend it.

---

The Bottom Line

CMS has already moved. Has your audit function?

CMS has already moved to continuous oversight. It audits every eligible contract, on a rolling cadence, with compliance woven into every program area it touches. The only open question is whether your internal audit function has moved with it, or whether it is still organized around a season that no longer exists.

Inovaare built its AI Agent Studio for exactly this shift: a single platform where MA plans keep program audit universes submission-ready, monitor ODAG, CDAG, Formulary and SNP-CC decisions on a standing cadence, document and version their internal coverage criteria, route exceptions to root cause, oversee delegated entities and FDRs, and track corrective actions to closure, continuously, against the protocols CMS is using right now. If your team is still rebuilding universes under deadline, that is the gap worth closing first.