COI Tracking Checklist: What to Verify Before Approving a Vendor

A complete field reference for verifying vendor certificates of insurance before granting approval.

A COI tracking checklist is a structured verification framework used to confirm that a vendor's certificate of insurance meets all required standards before work begins or a contract is executed.

It covers four core areas: confirming the certificate contains accurate, complete information; verifying that all required coverage types are present at required limits; confirming policy validity and currency; and checking that any contract-required endorsements — additional insured status, waiver of subrogation, primary and non-contributory language — are in place.

This process matters because a certificate of insurance is evidence of coverage at a point in time, not a guarantee that coverage remains active. And relying on an incomplete or outdated certificate creates uninsured liability exposure that doesn't surface until a claim is filed. Risk managers, compliance officers, general contractors, and property managers use this checklist before every vendor approval and as the basis for ongoing COI tracking programs.

Here's what the verification process covers at a glance.

COI Tracking Checklist: 6 Things to Verify Before Vendor Approval

Before approving a vendor, verify these six items:

1. Certificate basics: The ACORD 25 is complete, the insured name matches the contract, the certificate holder is correct, and all policy numbers are listed.
2. Required coverage types: General liability, workers’ compensation, commercial auto, umbrella/excess, or other contract-required coverages are present.
3. Coverage limits: Each policy meets or exceeds the limits required by the contract.
4. Policy dates: Every required coverage line is active today and has not expired.
5. Required endorsements: Additional insured, waiver of subrogation, and primary/non-contributory language are documented through endorsements, not only noted on the certificate.
6. Ongoing monitoring: Track expiration dates after approval so lapses, cancellations, and renewal gaps are caught before work continues.

This process matters because a certificate of insurance is evidence of coverage at a point in time, not a guarantee that coverage remains active. Policies can lapse, be canceled, or be modified after a certificate is issued. Relying on an incomplete, outdated, or unsupported certificate creates uninsured liability exposure that may not surface until a claim is filed.

What to Know Before Approving a Vendor’s COI

A certificate of insurance is not proof of ongoing coverage. It reflects coverage as of the issue date. Policies can lapse, be canceled, or change after the certificate is produced.

Certificate holder status is not the same as additional insured status. Being listed as a certificate holder means your organization received the certificate. It does not extend coverage. Additional insured protection must be confirmed through a policy endorsement.

Endorsements matter as much as coverage limits. A certificate can list the right coverage types and still fail the contract requirement if additional insured, waiver of subrogation, or primary/non-contributory endorsements are missing.

Most vendor insurance gaps happen after initial approval. Expirations, cancellations, and renewal failures create risk when organizations collect COIs once but do not monitor them over time.

A defensible COI review process needs documentation. Approval, rejection, follow-up requests, lapse notices, and reviewer decisions should be recorded so the organization can show due diligence if a claim is disputed.

What a compliant certificate of insurance must include

An incomplete certificate — missing policy numbers, blank limit fields, or a mismatched insured name — is grounds for rejection before any further review.

Standard ACORD 25 fields to confirm on every certificate

The ACORD 25 is the standard certificate of insurance form used in the United States. Every vendor submission should be an ACORD 25, or equivalent, with the following fields fully populated:

• Producer information — the issuing broker, with contact details
• Insured name and address — must match the vendor's legal entity name as it appears in your contract; mismatches are a common failure point
• Insurer names and NAIC numbers — confirms carriers are identified and allows for financial stability verification
• Coverage type and policy number — each coverage type (GL, auto, workers' comp, umbrella) listed separately with its own policy number
• Policy effective and expiration dates — both fields required on every coverage line
• Coverage limits — per occurrence, aggregate, and applicable sublimits
• Certificate holder — your organization's legal name and address, listed EXACTLY as it appears in the contract
• Description of operations — if your contract requires reference to a specific project, location, or contract number, this field must reflect it

Being listed as certificate holder is not the same as additional insured status. Certificate holder means you receive the document. Additional insured status, which must be confirmed via endorsement, means you're covered under the vendor's policy.

What the ACORD 25 disclaimer means for enforcement

The standard ACORD 25 contains disclaimer language stating that the certificate is issued as a matter of information only and confers no rights upon the certificate holder. This means the certificate alone cannot be used to enforce coverage terms. When your contract requires specific coverage provisions, verify those terms against the actual policy endorsements — not just the certificate face.

COI coverage types to verify before vendor approval

The specific coverage types you require depend on the work being performed and your contract terms.

General liability (GL) protects against third-party claims for bodily injury, property damage, and personal and advertising injury; it's the foundational coverage type required for virtually every vendor category.

Verify: each occurrence limit, general aggregate limit, products/completed operations aggregate, and policy form. For vendors doing physical work, occurrence-based GL is the standard requirement. Claims-made GL policies require additional scrutiny around retroactive dates and tail coverage.

Workers' compensation and employer's liability are legally required in most states for any business with employees.

Verify: state of coverage (must match where work is performed), employer's liability limits, and any sole proprietor or officer exclusions. A vendor without workers' comp either has no employees — confirm this in writing — or is out of compliance with state law.

Commercial auto liability applies when vendors use vehicles to access your property, transport equipment, or deliver materials.

Verify: combined single limit (CSL) and covered auto types (owned, hired, non-owned). Auto liability is sometimes omitted when work appears to be on-site only, but vendors who drive to your location create exposure regardless.

Umbrella/excess liability extends the limits of underlying GL, auto, and employer's liability policies. Typically required for higher-risk vendors.

Verify: follow-form vs. standalone umbrella terms, and that the umbrella schedule lists the same underlying policies as your certificate. Mismatches between umbrella schedules and primary policies are a known compliance gap.

How to verify certificate validity and currency

A certificate that accurately describes expired coverage is not a compliant certificate. Every coverage line has its own policy period; verify each independently. It's common for a GL policy to be current while a workers' comp policy has lapsed, particularly when coverage lines renew on different schedules.

The most direct check: confirm today's date falls within the stated policy period for every required line. If any line shows a past expiration date, the certificate fails regardless of when it was issued.

Claims-made vs. occurrence policies require different expiration logic. Occurrence-based policies cover incidents during the policy period, regardless of when the claim is filed. Claims-made policies cover claims filed during the policy period only — once expired, no coverage applies to new claims unless the vendor has purchased tail (extended reporting period) coverage. For vendors doing long-term or recurring work, occurrence-based coverage provides cleaner ongoing protection.

Confirming active coverage: the ACORD 25 reflects coverage as of its issue date, not necessarily today. Certificates older than 30 days should be treated as potentially stale. To confirm current status, contact the issuing broker directly or request a newly-issued certificate.

Additional insured and endorsement requirements

Endorsement gaps are the most common source of disputes in vendor compliance programs. A certificate can check every coverage box and still leave your organization exposed if required endorsements are missing.

Additional insured status extends coverage under the vendor's policy to your organization for claims arising from the vendor's work. Without it, you cannot tender a defense to the vendor's insurer when an incident involves your organization. Additional insured status must be documented in a policy endorsement, not just noted on the certificate face. Common endorsement forms:

• CG 20 10 — additional insured for ongoing operations
• CG 20 37 — additional insured for completed operations
• CG 20 26 — additional insured for designated person or organization

Many contracts require both CG 20 10 and CG 20 37. Confirm which forms your contracts specify before reviewing vendor submissions.

Waiver of subrogation prevents the vendor's insurer from pursuing your organization for reimbursement after paying a claim. Must be confirmed via endorsement on each required coverage line (GL, workers' comp, auto) as specified by your contract.

Primary and non-contributory language establishes that the vendor's policy pays first in a shared claim, before your own policy contributes. Appears in policy endorsements and must be confirmed the same way as the items above.

COI red flags that should trigger rejection or follow-up

Reject immediately: request a corrected certificate

The following conditions require a corrected certificate before approval proceeds:

• Any required coverage line shows an expired policy date
• The named insured on the certificate doesn't match the contracting vendor entity
• Required coverage types are missing entirely
• Coverage limits are below contract requirements
• The certificate holder section is blank, incorrect, or lists a different entity

Request follow-up before making a determination

The following conditions require clarification before approval can proceed but don't automatically result in rejection:

• Required endorsements are noted on the certificate but the endorsement documents aren't provided
• A claims-made policy shows no retroactive date; request it and confirm it predates the contract start date
• The umbrella policy schedule doesn't align with primary policy numbers
• Workers' comp shows officer exclusions and those individuals will be on-site
• Certificate broker contact information is incomplete

Certificates are issued by brokers on behalf of insurers, not by insurers directly. The certificate is not a policy document. If a certificate indicates endorsements are in place but the endorsement documents cannot be produced, the endorsements control — and the certificate notation alone is insufficient.

Managing ongoing compliance after initial approval

Initial approval is the beginning of vendor compliance management, not the end. A structured expiration monitoring program sends alerts at defined intervals before each policy renewal — commonly 60, 30, 15, and 7 days before expiration. The 60-day alert gives vendors time to initiate renewal. The 7-day alert is the final window for active follow-up before a lapse occurs.

When a vendor's coverage lapses during an active engagement, suspend work immediately for high-risk or physical work vendors. Issue a formal notice of non-compliance documenting the lapse date and affected coverage line. Set a resolution deadline, typically 5–10 business days before escalation to contract suspension. A lapse doesn't automatically void the contract, but proceeding with an uninsured vendor transfers the liability exposure to your organization.

Document every compliance decision — approval, rejection, follow-up, lapse notice — with a timestamp and reviewer identification. Auditable records demonstrate due diligence if a claim is disputed.

What this checklist doesn't cover

This checklist addresses the standard commercial lines coverage types and endorsements required in most vendor compliance programs. It does not cover:

• Jurisdiction-specific requirements — workers' compensation rules, coverage minimums, and notice requirements vary by state; verify local requirements with a licensed insurance professional when operating across multiple states
• Industry-specific specialty coverage — professional liability (E&O), cyber liability, and pollution liability are not addressed here; their inclusion depends on the nature of the work and the vendor category
• Contract-specific requirements — this checklist reflects common baseline requirements; individual contracts may require coverage types, limits, or endorsement language beyond what's listed; your contracts control
• Policy-level verification — this checklist addresses certificate-level review; for high-risk vendors or large contracts, policy-level review by a licensed insurance professional provides deeper assurance
• Legal advice — certificate requirements and coverage determinations involve contractual and legal questions a checklist cannot resolve

This checklist covers certificate completeness, coverage type verification, policy currency, and endorsement confirmation — the four functions that define a defensible vendor approval process. For teams managing more than 25 active vendors, tracking each of those functions manually across every certificate creates the conditions for the gaps this checklist exists to prevent.

bcs automates the collection, verification, and monitoring steps this checklist describes with instant compliance feedback, automated expiration alerts, and a network of 78,000+ pre-vetted vendors. Explore certificate of insurance tracking software built for the full vendor compliance lifecycle, or start free for up to 25 vendors with no credit card required.

Frequently asked questions