In our experience, CMS doesn’t just audit what your delegated entities do. It audits how you oversee them. Here’s a stage-by-stage breakdown of what we believe an effective, CMS-audit-ready FDR program looks like — and the specific gaps that generate findings.
Delegation oversight is one of the most operationally complex compliance responsibilities a Medicare Advantage plan carries. Unlike an internal audit — where the plan controls the evidence, the people, and the process — delegation oversight requires the plan to impose structure on external entities: vendors with their own systems, their own workflows, and their own interpretation of what CMS requires.
Under CMS’s regulatory framework, the plan sponsor is held fully accountable for externally-performed work. When a PBM misinterprets a coverage criterion, when a utilization management vendor delays a determination, when a customer service contractor fails to train employees on updated requirements, the finding belongs to the plan. Not the vendor.
That accountability structure creates an obligation that is both clear and difficult: health plans must actively govern what their vendors do, demonstrate that governance systematically, and produce documentary evidence of that oversight on demand. This article breaks down what we believe are the five stages of a CMS-audit-ready delegation oversight program and the specific failure modes that generate findings in each one.
CMS’s 2024 Program Audit Report found that sponsors failed to track, address, and correct compliance issues related to delegated entity performance. The agency specifically noted that “internal routine monitoring processes didn’t detect untimely notifications to enrollees when a delegated entity misinterpreted regulatory requirements.” This is a CPE finding — one of the most consequential audit domains.
The Five-Stage Framework
Inovaare’s delegation oversight architecture — developed specifically for U.S. health plans operating under CMS Part C and Part D requirements — maps to five distinct operational stages. Each stage has what we believe to be a specific CMS documentation expectation. Each stage has common failure patterns that auditors are trained to identify.
Delegation Determination (Pre-Del)
Before any function is delegatedThe pre-delegation assessment is the foundation of your FDR program. Before a plan can delegate a CMS-regulated function to any vendor, we believe CMS expects documentation that the plan assessed the vendor’s capability to perform that function in compliance with CMS requirements. This is not a formality — it is a compliance gate.
A complete pre-delegation assessment covers the vendor’s compliance program structure, training and screening processes, reporting infrastructure, and their ability to perform the specific delegated functions. In our view, CMS evaluates whether the plan’s criteria were applied consistently and whether the assessment documentation supports the approval decision.
Pre-delegation assessments completed verbally or via informal email review, with no standardized criteria and no documented evidence that the vendor’s responses were evaluated against specific CMS compliance standards before delegation was approved.
A standardized task survey sent to the vendor before delegation, documented vendor responses, a structured review process with defined criteria, and a formal approval decision — all on file and accessible to auditors without reconstruction.
Delegation Repository
Centralized documentation for every active FDR/DEOnce an entity is approved for delegation, everything related to that relationship needs to live in one place: the executed delegation agreement with specific performance standards, the completed pre-del assessment, all compliance documents submitted by the entity, and the complete audit and monitoring history for the relationship.
Plans that manage this documentation across shared drives, email inboxes, and departmental systems face a structural problem during audits: they cannot produce a complete, coherent picture of any given FDR/DE relationship quickly. CMS auditors move fast. Producing documentation that should be on file in hours can take days if it is scattered across systems.
Delegation agreements in Legal’s SharePoint, monitoring reports in the compliance team’s Excel tracker, audit history in a separate quality management system — no single location where an auditor (or the compliance team itself) can see the complete picture of any one entity’s relationship with the plan.
A centralized, auditable repository with document version control, expiration tracking, and a complete timestamped history for every active FDR/DE. Access-controlled so delegated entities can submit documents directly, eliminating email-based collection that is difficult to trace.
Reports & Monitoring
Continuous — not annual — performance oversightThis is the stage where most health plans have the largest gap between what they believe they are doing and what we think CMS expects to see. In our reading of CMS’s 2024 findings, annual audits are not sufficient. We believe sponsors are expected to conduct routine, ideally continuous, monitoring of delegated entity performance against the SLAs and CMS compliance requirements specified in the delegation agreement.
Routine monitoring means defined metrics, documented thresholds, and a systematic process that runs throughout the year — not just in advance of an annual delegation audit. It also means a documented escalation process: when a threshold is breached, who is notified, within what timeframe, and what happens next. The absence of this process is what allowed the specific finding in the 2024 CMS report — a delegated entity misinterpreting a coverage requirement without the plan detecting it through monitoring.
Monitoring collections that exist on paper but are reviewed only at quarterly committee meetings, with no automated alerts for threshold breaches and no documented escalation process. SLA performance data arrives from vendors in inconsistent formats with no standardized analysis framework.
Configurable monitoring collections with defined SLA metrics and tolerance levels, automated alerts when thresholds are breached, real-time scorecards showing each entity’s performance, and a documented escalation path from threshold breach to corrective action initiation — all with timestamped records.
FDR/DE Audit
Structured, documented audit processes for every delegated entityWe believe CMS expects health plans to conduct audits of their delegated entities, not just monitor their self-reported performance metrics. In our view, these FDR/DE audits need to follow a structured process: defined scope, sampling methodology, document review, field work, and a formal findings report. And critically, every finding needs a path to resolution.
The failure mode here is not usually the absence of audits. Most plans conduct some form of annual FDR/DE review. The failure is the absence of structure and linkage. Audit findings documented in a Word document that is then emailed to the vendor, with no tracking system to verify whether corrective action was actually taken, are unlikely to meet what we consider to be the CMS standard for documented oversight.
FDR audits conducted using informal checklists with no standardized scoring, findings communicated via email with no formal tracking, and no systematic verification that corrective actions committed to by the vendor were actually implemented within the agreed timeframe.
Structured audit lifecycle with defined scope and sampling logic, in-platform document review, findings documentation with severity scoring, and a direct linkage from each finding to a corrective action plan — with timelines, ownership, and evidence of closure all captured in the same system.
CAP / Remediation
Closing the loop — from deficiency identification to validated resolutionCorrective Action Plans are where delegation oversight programs most visibly succeed or fail. In our assessment, CMS does not just want to see that deficiencies were found. We believe the agency wants to see that each deficiency was assigned to an owner, given a resolution timeline, required supporting evidence of remediation, and closed only when that evidence was reviewed and accepted by the plan, not just acknowledged by the vendor.
When CAPs are tracked in a separate system from the audit findings that generated them, the audit trail breaks. When CAP closure is self-certified by the vendor with no evidence review by the plan, the closure is not defensible. When the same deficiency appears in consecutive annual audits, we believe it signals to CMS that the plan’s corrective action process is not effective, one of the most damaging patterns in a program audit.
CAPs issued after FDR audits tracked in a separate system from the audit findings, with no formal evidence review process, no escalation for overdue CAPs, and repeat findings in consecutive audit cycles that indicate corrective actions were nominal rather than effective.
Every deficiency automatically linked to a structured CAP in the same platform, with assigned ownership, documented remediation steps, defined evidence requirements, an escalation process for overdue items, and a validated closure decision — all creating a continuous, auditable remediation trail from deficiency to resolution.
The Self-Assessment Checklist
Use this checklist to identify where your current delegation oversight program has documentation gaps. Each item represents something we believe CMS auditors will look for during a compliance program effectiveness review.
Pre-Delegation Assessment (Stage 1)
Delegation Repository (Stage 2)
Monitoring (Stage 3)
FDR/DE Audit (Stage 4)
CAP / Remediation (Stage 5)
Why Most Plans Have Gaps Despite Doing the Work
The most consistent theme in delegation oversight gaps isn’t that plans aren’t doing oversight. It’s that they’re doing oversight they cannot prove. A compliance officer who conducts monthly monitoring calls with PBM partners knows what’s happening with SLA performance. But if those calls aren’t documented with timestamped records, specific metrics reviewed, and a logged outcome — they don’t exist from CMS’s perspective.
The same is true for pre-delegation assessments conducted via email, findings communicated via PDF, and corrective actions tracked in a spreadsheet that shows completion dates without evidence. Plans that build oversight into their operations but rely on manual, distributed documentation processes end up with CMS findings not because the oversight didn’t happen, but because the documentation doesn’t hold up.
In a CMS audit context, undocumented oversight is effectively no oversight. The five-stage framework described in this article is meaningful not just as an operational process but as a documentation architecture. In our view, each stage produces specific records that, taken together, constitute the evidence base an auditor needs to confirm that the plan is managing its FDR network in compliance with CMS requirements.
See the Five Stages in Action
Inovaare’s Delegation Oversight platform maps directly to these five stages — with pre-built workflows, continuous monitoring, and a secure DE Portal that makes the documentation we believe CMS expects the default output of everyday operations.
Explore the Platform Request a DemoSources: CMS 2024 Part C and Part D Program Audit and Enforcement Report; CMS Compliance Program Effectiveness Audit Domain; BlueCross 2024 FDR Guide (illustrative industry practice).