Program Audits

Medicare Part C and Part D
Compliance Program
Effectiveness (CPE)
PROGRAM AUDIT PROTOCOL AND DATA
REQUEST

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)

Table of Contents

Program Audit Protocol ............................................................................................................................. 3
Purpose ........................................................................................................................................................ 3
Audit Elements Tested................................................................................................................................ 3
Program Audit Data Request .................................................................................................................. 12
Audit Engagement and Universe Submission Phase.............................................................................. 12
Universe Submissions ....................................................................................................................... 12
Universe Requests ............................................................................................................................. 12
Universe Table 1: Compliance Oversight Activities (COA) Record Layout...................................... 12
Supplemental Documentation Submissions.....................................................................................16
Supplemental Documentation Requests ......................................................................................... 16
Tracer Case Summary Submissions ................................................................................................17
Tracer Case Summary Requests ..................................................................................................... 17
Audit Field Work Phase ........................................................................................................................... 17
Supporting Documentation Submissions ........................................................................................ 17
Root Cause Analysis Submissions ................................................................................................... 18

Page 2 of 3

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)

Program Audit Protocol
Purpose
To evaluate performance in the areas outlined in this Program Audit Protocol and Data Request
related to Compliance Program Effectiveness (CPE). The Centers for Medicare and Medicaid
Services (CMS) performs its program audit activities in accordance with the CPE Program Audit
Data Request and applying the compliance standards outlined in this Program Audit Protocol and
the Program Audit Process Overview document. At a minimum, CMS will evaluate cases against
the criteria listed below.
Audit Elements Tested
1. Prevention Controls and Activities
2. Detection Controls and Activities
3. Correction Controls and Activities

Page 3 of 4

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Not
Applicable

Compliance
Standard
Integrity
Testing

Data Request

Method of Evaluation

Supplemental
Documentation:
• Compliance Officer
Questionnaire
• Customized
Organizational
Structure and
Governance
PowerPoint
Presentation
• First Tier, Downstream,
and Related Entities
(FDR) Operations
Oversight
Questionnaire
• Standards of
Conduct/Code of
Conduct document (in
effect at any time
during the audit review
period)
• Risk Assessments and
Compliance
Performance
Mechanisms that show
the extent to which
Medicare Parts C
and/or D operational
areas, FDRs, and FWA
risks were identified
and compliance goals
were monitored at any
time during the audit
review period
• Audit and Monitoring
Work Plans (for both
internal operations and
FDRs) in effect at any
time during the audit
review period

Conduct completeness and accuracy check
of supplemental documentation via desk
review. Verify:
• Questionnaires are complete (i.e., all
questions answered)
• Other documents represent all those in
effect during the scope of universe
request

Criteria Effective
01/01/2021
42 CFR § 422.504(e)
42 CFR § 423.505(e)
42 CFR § 422.504(f)
42 CFR § 423.505(f)

Conduct completeness and accuracy check
of Universe Table 1 via desk review.
Verify universe is in accordance with the
record layout:
• Specifications (e.g., inclusion and
exclusion language, scope of universe
request)
• Descriptions (e.g., all fields completed
in correct format)
Review all supplemental documentation
submitted with Universe Table 1. The
integrity of the universe and supplemental
documents will be questioned if the
submissions are incomplete, were not
prepared in accordance with Program
Audit Data Request instructions, or a
variance is discovered in oversight
activities.

Universe Table 1:
Compliance Oversight
Activities (COA)

Page 4 of 5

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Prevention,
Detection, or
Correction

Compliance
Standard
1.1

Data Request
Supplemental
Documentation:
• Compliance Officer
Questionnaire
• Standards of
Conduct/Code of
Conduct document (in
effect at any time
during the audit review
period)
• Customized
Organizational
Structure and
Governance
PowerPoint
Presentation
Universe Table 1:
Compliance Oversight
Activities (COA)
Supporting
Documentation:
• Written compliance
policies and procedures

Method of Evaluation
Conduct review of supplemental and
supporting documentation via interviews
with compliance officer and individuals
responsible for SIU/FWA and FDR
oversight, as applicable. Assess whether
Sponsoring organization’s written
compliance policies, procedures, and
standards of conduct:
Articulate the Sponsoring organization’s
commitment to comply with all applicable
Federal and State standards; Describe
compliance expectations as embodied in
the standards of conduct; Implement the
operation of the compliance program;
Provide guidance to employees and others
on dealing with potential compliance
issues; Identify how to communicate
compliance issues to appropriate
compliance personnel;
Describe how potential compliance issues
are investigated and resolved by the
Sponsoring organization; and
Include a policy of non-intimidation and
non-retaliation for good faith participation
in the compliance program, including but
not limited to reporting potential issues,
investigating issues, conducting selfevaluations, audits and remedial actions,
and reporting to appropriate officials.

Criteria Effective
01/01/2021
42 CFR §
422.503(b)(4)(vi)(A)
42 CFR §
423.504(b)(4)(vi)(A)

Select targeted samples of 20 audit
participants and 2 First Tier Entities (FTEs)
from attendance logs and impacted
individuals and entities from tracers,
supporting documentation and/or
supplemental documentation.
Sample selections will be provided to the
Sponsoring organization on the first day of
the onsite audit.
Evaluate the 20 samples and 2 FTEs via
live presentation by Sponsoring
organization or review of evidence (e.g.,
accessibility of compliance policies and
procedures and Standards of Conduct via
the intranet, FTE attestation).

Page 5 of 6

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Prevention,
Detection, or
Correction

Compliance
Data Request
Standard
1.2
Universe Table 1:
Compliance Oversight
Activities (COA)
Tracer case summaries
Supplemental
Documentation:
• Compliance
Officer
Questionnaire
• Customized
Organizational
Structure and
Governance
PowerPoint
Presentation
Supporting
Documentation:
• Evidence that
compliance issues were
communicated to the
appropriate compliance
personnel, senior
management, and
oversight entities
• Meeting
minutes/agendas,
letters/correspondence,
etc. to support
statements within the
tracer case summaries

Page 6 of 7

Method of Evaluation
Select 6 tracer case samples by targeting
those that represent compliance risk to
Sponsoring organization’s operations and
enrollees with the likelihood of touching
multiple elements of a compliance
program, including intelligence obtained
from documentation received with the
universe. When available, choose:
Pharmacy benefit management; Appeals
and grievances, including oversight of call
routing process; FTE performing a
delegated function; Quality improvement
program, if applicable; Network
management; Enrollment and
disenrollment, agent/broker
misrepresentation, quality of care,
including issues reported through
compliance mechanisms;
Customer/member services; or Compliance
actions (e.g., Notices of Noncompliance,
Warning Letters) relative to the audit
review period.
Other information available to CMS (and,
therefore, not requested from Sponsoring
organizations) may be used for tracer case
sample selection, such as:
Compliance actions; Enforcement actions;
or Memorandums issued via the Health
Plan Management System.
Tracer case sample selections will be
provided to the Sponsoring organization
two weeks prior to the Entrance
Conference.
Evaluate the 6 tracer case summaries via
live presentation by Sponsoring
organization, including interviews with
compliance officer and individuals
responsible for SIU/FWA and FDR
oversight, as applicable. Assess whether:
Sponsoring organization designated an
employee of the organization, parent
organization, or corporate affiliate as the
compliance officer; Compliance officer and
compliance committee demonstrated
appropriate accountability and reporting of
Medicare compliance issues to appropriate
senior management and governing body;
and Governing body exercised oversight of
the Medicare compliance program.
Note: Discussion may include compliance
oversight perspective on preliminary issues
discovered during the earlier portion of the
Audit Field Work phase.

Criteria Effective
01/01/2021
42 CFR §
422.503(b)(4)(vi)(B)
42 CFR §
423.504(b)(4)(vi)(B)

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Prevention,
Detection, or
Correction

Compliance
Data Request
Standard
1.3
Supplemental
Documentation:
• Compliance Officer
Questionnaire
• Customized
Organizational
Structure and
Governance
PowerPoint
Presentation
Supporting
Documentation:
• Employee and
governing body
members training
records

Method of Evaluation
Conduct review of supplemental and
supporting documentation via interviews
with compliance officer and individuals
responsible for SIU/FWA and FDR
oversight, as applicable. Assess whether
compliance training was provided annually
to the compliance officer and organization
employees, the Sponsoring organization's
chief executive and other senior
administrators, managers and governing
body members.

Criteria Effective
01/01/2021
42 CFR §
422.503(b)(4)(vi)(C)
42 CFR §
423.504(b)(4)(vi)(C)

Use the same 20 samples of audit
participants from attendance logs and
impacted individuals from tracers,
supporting documentation and/or
supplemental documentation.
Sample selections will be provided to the
Sponsoring organization on the first day of
the onsite audit.
Evaluate the 20 samples via live
presentation by Sponsoring organization or
review of evidence (e.g., training
attendance log, training certificate,
employee attestation of receipt of
compliance policies and procedures and
Standards of Conduct).

Page 7 of 8

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Prevention,
Detection, or
Correction

Compliance
Data Request
Standard
1.4
Tracer case summaries
Supplemental
Documentation:
• Compliance Officer
Questionnaire
• Customized
Organizational
Structure and
Governance
PowerPoint
Presentation
• First Tier, Downstream,
and Related Entities
(FDR) Operations
Oversight
Questionnaire

Method of Evaluation
Evaluate the 6 tracer case summaries via
live presentation by Sponsoring
organization, including interviews with
compliance officer and individuals
responsible for SIU/FWA and FDR
oversight, as applicable. Assess whether
Sponsoring organization:
• Established effective lines of
communication between the compliance
officer, members of the compliance
committee, employees, managers and
governing body, and FDRs; and
• Implemented a reporting system that is
accessible to all and allowed a method
for anonymous and confidential good
faith reporting of potential compliance
issues as they are identified.

Criteria Effective
01/01/2021
42 CFR §
422.503(b)(4)(vi)(D)
42 CFR §
423.504(b)(4)(vi)(D)

Supporting
Documentation:
• Evidence of
communication to the
affected or involved
business areas
regarding compliance
issues
• Evidence of oversight
activities that occurred
as a result of the
detected issue(s)
• Description of the
enrollee and/or
Sponsoring
organization impact as
a result of the detected
compliance issues
• Meeting
minutes/agendas,
letters/correspondence,
etc. to support
statements within the
tracer case summaries

Page 8 of 9

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Prevention,
Detection, or
Correction

Page 9 of 10

Compliance
Data Request
Standard
1.5
Supplemental
Documentation:
• Compliance Officer
Questionnaire
• Standards of
Conduct/Code of
Conduct document (in
effect at any time
during the audit review
period)

Method of Evaluation
Conduct review of supplemental
documentation via interviews with
compliance officer and individuals
responsible for SIU/FWA and FDR
oversight, as applicable. Assess whether
Sponsoring organization has wellpublicized disciplinary standards through
implementation of procedures which
encourage good faith participation in the
compliance program by all affected
individuals. These standards must include
policies that:
• Articulate expectations for reporting
compliance issues and assist in their
resolution;
• Identify noncompliance or unethical
behavior; and
• Provide for timely, consistent, and
effective enforcement of the standards
when noncompliance or unethical
behavior is determined.

Criteria Effective
01/01/2021
42 CFR §
422.503(b)(4)(vi)(E)
42 CFR §
423.504(b)(4)(vi)(E)

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Prevention,
Detection, or
Correction

Data Request
Compliance
Standard
1.6
Tracer case summaries
Supplemental
Documentation:
• Compliance Officer
Questionnaire
• First Tier, Downstream,
and Related Entities
(FDR) Operations
Oversight
Questionnaire
• Risk Assessments and
Compliance
Performance
Mechanisms that show
the extent to which
Medicare Parts C
and/or D operational
areas, FDRs, and FWA
risks were identified
and compliance goals
were monitored at any
time during the audit
review period
• Audit and Monitoring
Work Plans (for both
internal operations and
FDRs) in effect at any
time during the audit
review period

Method of Evaluation
Evaluate the 6 tracer case summaries via
live presentation by Sponsoring
organization, including interviews with
compliance officer and individuals
responsible for SIU/FWA and FDR
oversight, as applicable. Assess whether
Sponsoring organization established and
implemented an effective system for
routine monitoring and identification of
compliance risks including internal
monitoring and audits of its internal
operations and FTEs to evaluate
compliance with CMS requirements and
the overall effectiveness of the compliance
program.

Criteria Effective
01/01/2021
42 CFR §
422.503(b)(4)(vi)(F)
42 CFR §
423.504(b)(4)(vi)(F)

Supporting
Documentation:
• Evidence of oversight
activities that occurred
as a result of the
detected issue(s)
• Description of the
enrollee and/or
Sponsoring
organization impact as
a result of the detected
compliance issues
• Meeting
minutes/agendas,
letters/correspondence,
etc. to support
statements within the
tracer case summaries

Page 10 of 11

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Audit
Element
Prevention,
Detection, or
Correction

Page 11 of 12

Data Request
Compliance
Standard
1.7
Tracer case summaries
Supplemental
Documentation:
• Compliance Officer
Questionnaire
• First Tier, Downstream,
and Related Entities
(FDR) Operations
Oversight
Questionnaire
Supporting
Documentation:
• Policies and procedures
reviewed and revised in
response to detecting
and correcting
compliance issues
• Training provided in
response to identifying
and correcting
compliance issues
• Evidence of oversight
activities that occurred
as a result of the
detected issue(s)
• Evidence of
accountability and
oversight by the
Sponsoring
organization when
issues are detected at
the FDR level,
including response and
correction procedures,
communication,
educational
requirements and
engagement with the
compliance department,
operational areas and
oversight entities
• Description of the
enrollee and/or
Sponsoring
organization impact as
a result of the detected
compliance issues
• Meeting
minutes/agendas,
letters/correspondence,
etc. to support
statements within the
tracer case summaries

Method of Evaluation
Evaluate the 6 tracer case summaries via
live presentation by Sponsoring
organization, including interviews with
compliance officer and individuals
responsible for SIU/FWA and FDR
oversight, as applicable. Assess whether
Sponsoring organization promptly
responded to compliance issues,
investigated potential compliance problems
identified, or corrected such compliance
problems promptly and thoroughly to
reduce potential for recurrence and ensure
ongoing compliance with CMS
requirements.

Criteria Effective
01/01/2021
42 CFR §
422.503(b)(4)(vi)(G)
42 CFR §
423.504(b)(4)(vi)(G)

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)

Program Audit Data Request
Audit Engagement and Universe Submission Phase
Universe Submissions
Sponsoring organizations must submit the universe, comprehensive of all contracts and Plan
Benefit Packages (PBP) identified in the audit engagement letter, in either Microsoft Excel (.xlsx)
file format with a header row or Text (.txt) file format without a header row. Descriptions and
clarifications of what must be included in each submission and data field are outlined in the
universe record layout below. Characters are required in all requested fields, unless otherwise
specified, and data must be limited to the request specified in the record layout. Sponsoring
organizations must provide accurate and timely universe submissions within 15 business days of the
audit engagement letter date. Submissions that do not strictly adhere to the record layout
specifications will be rejected.
Universe Requests
1. Universe Table 1: Compliance Oversight Activities (COA) Record Layout
Universe
Record Layout
Table 1

Scope of Universe Request*

Submit a list of all compliance oversight activities that occurred during the 26week period preceding and including the date of the audit engagement letter.
* CMS reserves the right to expand the review period to ensure sufficient universe size.
Please use the guidance below for the following record layout:
Universe Table 1: Compliance Oversight Activities (COA) Record Layout
• Include all auditing, monitoring, and investigation activities (including compliance and fraud,
waste and abuse (FWA) activities) that were initiated, performed, or closed, related to the
Sponsoring organization’s Medicare Advantage (Part C) and/or Prescription Drug (Part D)
business during the universe request period. Include the activity if the Activity Start Date
(Column ID G) or Activity Completion Date (Column ID H) falls within the universe request
period, or if the activity is still in progress but the start and completion dates fall outside the
universe period.
• Daily activities should be rolled up into an aggregate time period of one month and included
in the universe each time the aggregate time period into which they were rolled occurred.
• Use consistent naming conventions throughout the submitted universe. For instance, when
the name of the Sponsoring organization’s component (e.g., department, operational area,
business unit) is requested, a consistent response (e.g., Agent Broker vs. Agent/ Broker vs.
AB vs. A/B) must be used.
• Ensure that all fields are populated; do not leave any fields blank (e.g. if there are no
deficiencies enter “0” for Number of Deficiencies in Column ID I, and Column ID J
(Description of Deficiencies) would be “NA”.

Page 12 of 13

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Column
ID
A

Field Name

B

Activity Type

CHAR
30
Always
Required

C

Compliance or FWA?

CHAR
10
Always
Required

D

Activity Frequency

CHAR
30
Always
Required

E

Activity Rationale

CHAR
200
Always
Required

Page 13 of 14

Component

Field
Field
Type
Length
CHAR
100
Always
Required

Description
Enter the name of the Sponsoring
organization’s department,
operational area, or First Tier
Entity that is the focus
of the oversight activity.
Enter the activity type as:
• Auditing
• Monitoring
• Investigations
Enter whether the activity was:
• Compliance
• FWA
• Both
Enter the frequency of the
oversight activity. Valid values
include but are not limited to:
• Daily
• Weekly
• Bi-monthly
• Monthly
• Quarterly
• Semi-annually
• Annually
• Ad-hoc
Enter the rationale for conducting
the activity (e.g., routine audit
stemming from risk assessment
and/or work plan, referral from
FTE, or hotline complaint,
operational failure/metric
outlier/etc., or audit activity was
implemented because the function
has an immediate impact on
enrollees’ access to immediate
medical care and prescription
drugs).

OMB Approval 0938-1395 (Expires 05/31/2024)

Column
ID
F

G

H

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Field
Field
Field Name
Description
Type
Length
CHAR
400
Activity Description
Provide a description of the
Always
activity (e.g., operational area,
Required
training requirements, timeliness,
accuracy of organization
determinations and notifications,
messaging errors, contractual
agreements, unannounced or
onsite audits, spot checks,
compliance
monitoring, targeted or stratified
sampling, audit protocols).
CHAR
10
Activity Start Date
Enter the date that the specific
Always
activity was initiated. For
Required
example, if the Sponsoring
organization started an audit of the
appeals process/ function within
the Sponsoring organization on
January 1, 2020, that is the date
that would be used for the date the
activity started.

10
Activity Completion Date CHAR
Always
Required

Submit in CCYY/MM/DD format
(e.g., 2020/01/01).
Enter the date that the specific
activity was completed. For
example, if the Sponsoring
organization completed an audit of
the appeals process/function
within the Sponsoring
organization on January 31, 2020,
that is the date that would be used
for the date the activity ended.
Submit in CCYY/MM/DD format
(e.g., 2020/01/01).
Enter TBD (To Be Determined) if
the activity is currently in
progress.

Page 14 of 15

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Column
ID
I

J

Field Name
Number of Deficiencies

Description of
Deficiencies

Field
Field
Type
Length
CHAR
3
Always
Required

CHAR
1000
Always
Required

K

Corrective Action
Required

CHAR
3
Always
Required

L

Activity Results Shared?

CHAR
50
Always
Required

Page 15 of 16

Description
Enter the number of deficiencies,
findings, or issues identified.
Enter TBD if deficiencies have yet
to be identified for an ongoing
activity.
Provide a summary of all
deficiencies, findings or issues
identified during the oversight
activity. If the oversight activity is
identified in the pre-audit issue
summary submitted to CMS,
please include the issue number.
Enter TBD if deficiencies have yet
to be identified for an ongoing
activity.
Enter:
• Y (for Yes) if any
deficiencies were identified
during the activity and they
required a corrective action.
• N (for No) if none of the
deficiencies identified during
the activity required a
corrective action.
• TBD if corrective actions
have yet to be determined
for an ongoing activity.
Enter whether activity
results were shared:
• N (for No) if the results were
not shared, or
• Y (for Yes) if the results
were shared. Also enter the
name of the person or Group
with whom activity results
were shared.

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Supplemental Documentation Submissions
Sponsoring organizations must submit the requested documentation identified below in either a
Microsoft Word (.docx), Microsoft Excel (.xlsx.), Microsoft PowerPoint (.pptx), or Adobe
Portable Document File (.pdf). Sponsoring organizations must submit this documentation within
15 business days of the audit engagement letter date, unless otherwise specified.
Supplemental Documentation Requests
1. Compliance Officer Questionnaire
2. Customized Organizational Structure and Governance PowerPoint Presentation
3. First Tier, Downstream, and Related Entities (FDR) Operations Oversight
Questionnaire
4. Standards of Conduct/Code of Conduct document (in effect at any time during the
audit review period)
5. Risk Assessments and Compliance Performance Mechanisms that show the extent to
which Medicare Parts C and/or D operational areas, FDRs, and FWA risks were
identified and compliance goals were monitored at any time during the audit review
period. Compliance performance mechanisms could include (but are not limited to)
monthly compliance dashboards that track the goals and statuses of the identified
risk/issue, self-assessments, surveys, or any other tools or mechanisms (outside the
risk assessment) that are used to identify potential compliance risks.
6. Audit and Monitoring Work Plans (for both internal operations and FDRs) in effect at
any time during the audit review period

Page 16 of 17

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
Tracer Case Summary Submissions
In response to each tracer case summary requested, Sponsoring organizations must prepare and
submit a written document in either a Microsoft Word (.docx), Microsoft Excel (.xlsx.),
Microsoft PowerPoint (.pptx), or Adobe Portable Document File (.pdf) of a story board and/or
dashboard prior to the Entrance Conference. The summary document must provide the specific
facts, rationales, and decisions around how suspected, detected, or reported compliance issues
are investigated and resolved by the Sponsoring organization. The following information must be
included in each summary document in chronological order:
a. An overview of the issue(s) or activity
b. Which compliance and business operations units were involved in detecting and
correcting the issue(s)
c. A detailed explanation of the issue(s)/activity (e.g., what the Sponsoring organization
found, when the Sponsoring organization first learned about the issue, and who or which
personnel/operational area(s) were involved.)
d. A root cause analysis that determined what caused or allowed the compliance issue,
problem, or deficiency to occur
e. The specific actions taken in response to the detected issue(s)/activity
f. The processes and procedures that were affected by the issue(s)/activity and that were
revised in response to becoming aware of the issue(s)/activity
g. The steps taken to correct the issue(s)/deficiencies at the Sponsoring organization and/or
FDR levels, including a timeline indicating the corrective actions implemented or, if not
implemented, when the Sponsoring organization expects the corrective action to be
completed
h. How the issue was escalated (e.g., senior management, compliance oversight committees,
governing body, etc.)
i. All relevant communications within the Sponsoring organization and with its FDRs
regarding the issue.
j. Each prevention control and safeguard implemented in response to the issue(s)/activity
Tracer Case Summary Requests
CMS will request a total of 6 tracer case summaries.

Audit Field Work Phase
Supporting Documentation Submissions
During audit field work, CMS will review 6 tracer case summaries in addition to 20 employee
samples of audit participants and 2 FTEs selected from attendance logs, tracers, supplemental
documentation and/or supporting documentation to determine whether the Sponsoring
organization is compliant with its Part C and/or Part D contract requirements. To facilitate this
review, the Sponsoring organization must have access to, and the ability to save and upload
screenshots of supporting documentation and data relevant for a particular case, including, but
not limited to:
• Written compliance policies and procedures
• Evidence that compliance issues were communicated to the appropriate compliance
personnel, senior management, and oversight entities
• Training provided in response to identifying and correcting compliance issues
Page 17 of 18

OMB Approval 0938-1395 (Expires 05/31/2024)

Program Audit Protocol and Data Request
Medicare Parts C & D Compliance Program Effectiveness (CPE)
•
•
•
•

•
•

Employee and governing body members training records
Evidence of communication to the affected or involved business areas regarding compliance
issues
Evidence of oversight activities that occurred as a result of the detected issue(s)
Evidence of accountability and oversight by the Sponsoring organization when issues are
detected at the FDR level, including response and correction procedures, communication,
educational requirements and engagement with the compliance department, operational areas
and oversight entities
Description of the enrollee and/or Sponsoring organization impact as a result of the detected
compliance issues
Meeting minutes/agendas, letters/correspondence, etc. to support statements within the
Tracer Case Summaries

If not previously provided, the Sponsoring organizations are expected to submit supporting
documentation within 2 business days of the request.
Root Cause Analysis Submissions
Sponsoring organizations may be required to provide a root cause analysis using the Root Cause
Template provided by CMS. Sponsoring organizations have 2 business days from the date of
request to respond.
Verification of Information Collected: CMS may conduct integrity tests to validate the
accuracy of all universes, impact analyses, and other related documentation submitted in
furtherance of the audit. If data integrity issues are noted, Sponsoring organizations may be
required to resubmit their data.

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it
displays a valid OMB control number. The valid OMB control number for this information collection is 0938-1395 (Expires
05/31/2024). This is a mandatory information collection. The time required to complete this information collection is estimated
to average 701 hours per response, including the time to review instructions, search existing data resources, gather the data
needed, and complete and review the information collection. If you have comments concerning the accuracy of the time
estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance
Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850. ****CMS Disclosure**** Please do not send applications,
claims, payments, medical records or any documents containing sensitive information to the PRA Reports Clearance Office.
Please note that any correspondence not pertaining to the information collection burden approved under the associated OMB
control number listed on this form will not be reviewed, forwarded, or retained. If you have questions or concerns regarding
where to submit your documents, please contact [email protected].

Page 18 of 18

OMB Approval 0938-1395 (Expires 05/31/2024)