A COI tracking checklist is a structured verification framework used to confirm that a vendor's certificate of insurance meets all required standards before work begins or a contract is executed.
It covers four core areas: confirming the certificate contains accurate, complete information; verifying that all required coverage types are present at required limits; confirming policy validity and currency; and checking that any contract-required endorsements — additional insured status, waiver of subrogation, primary and non-contributory language — are in place.
This process matters because a certificate of insurance is evidence of coverage at a point in time, not a guarantee that coverage remains active. And relying on an incomplete or outdated certificate creates uninsured liability exposure that doesn't surface until a claim is filed. Risk managers, compliance officers, general contractors, and property managers use this checklist before every vendor approval and as the basis for ongoing COI tracking programs.
Here's what the verification process covers at a glance.
Before approving a vendor, verify these six items:
This process matters because a certificate of insurance is evidence of coverage at a point in time, not a guarantee that coverage remains active. Policies can lapse, be canceled, or be modified after a certificate is issued. Relying on an incomplete, outdated, or unsupported certificate creates uninsured liability exposure that may not surface until a claim is filed.
A certificate of insurance is not proof of ongoing coverage. It reflects coverage as of the issue date. Policies can lapse, be canceled, or change after the certificate is produced.
Certificate holder status is not the same as additional insured status. Being listed as a certificate holder means your organization received the certificate. It does not extend coverage. Additional insured protection must be confirmed through a policy endorsement.
Endorsements matter as much as coverage limits. A certificate can list the right coverage types and still fail the contract requirement if additional insured, waiver of subrogation, or primary/non-contributory endorsements are missing.
Most vendor insurance gaps happen after initial approval. Expirations, cancellations, and renewal failures create risk when organizations collect COIs once but do not monitor them over time.
A defensible COI review process needs documentation. Approval, rejection, follow-up requests, lapse notices, and reviewer decisions should be recorded so the organization can show due diligence if a claim is disputed.
An incomplete certificate — missing policy numbers, blank limit fields, or a mismatched insured name — is grounds for rejection before any further review.
The ACORD 25 is the standard certificate of insurance form used in the United States. Every vendor submission should be an ACORD 25, or equivalent, with the following fields fully populated:
Being listed as certificate holder is not the same as additional insured status. Certificate holder means you receive the document. Additional insured status, which must be confirmed via endorsement, means you're covered under the vendor's policy.
The standard ACORD 25 contains disclaimer language stating that the certificate is issued as a matter of information only and confers no rights upon the certificate holder. This means the certificate alone cannot be used to enforce coverage terms. When your contract requires specific coverage provisions, verify those terms against the actual policy endorsements — not just the certificate face.
The specific coverage types you require depend on the work being performed and your contract terms.
General liability (GL) protects against third-party claims for bodily injury, property damage, and personal and advertising injury; it's the foundational coverage type required for virtually every vendor category.
Verify: each occurrence limit, general aggregate limit, products/completed operations aggregate, and policy form. For vendors doing physical work, occurrence-based GL is the standard requirement. Claims-made GL policies require additional scrutiny around retroactive dates and tail coverage.
Workers' compensation and employer's liability are legally required in most states for any business with employees.
Verify: state of coverage (must match where work is performed), employer's liability limits, and any sole proprietor or officer exclusions. A vendor without workers' comp either has no employees — confirm this in writing — or is out of compliance with state law.
Commercial auto liability applies when vendors use vehicles to access your property, transport equipment, or deliver materials.
Verify: combined single limit (CSL) and covered auto types (owned, hired, non-owned). Auto liability is sometimes omitted when work appears to be on-site only, but vendors who drive to your location create exposure regardless.
Umbrella/excess liability extends the limits of underlying GL, auto, and employer's liability policies. Typically required for higher-risk vendors.
Verify: follow-form vs. standalone umbrella terms, and that the umbrella schedule lists the same underlying policies as your certificate. Mismatches between umbrella schedules and primary policies are a known compliance gap.
A certificate that accurately describes expired coverage is not a compliant certificate. Every coverage line has its own policy period; verify each independently. It's common for a GL policy to be current while a workers' comp policy has lapsed, particularly when coverage lines renew on different schedules.
The most direct check: confirm today's date falls within the stated policy period for every required line. If any line shows a past expiration date, the certificate fails regardless of when it was issued.
Claims-made vs. occurrence policies require different expiration logic. Occurrence-based policies cover incidents during the policy period, regardless of when the claim is filed. Claims-made policies cover claims filed during the policy period only — once expired, no coverage applies to new claims unless the vendor has purchased tail (extended reporting period) coverage. For vendors doing long-term or recurring work, occurrence-based coverage provides cleaner ongoing protection.
Confirming active coverage: the ACORD 25 reflects coverage as of its issue date, not necessarily today. Certificates older than 30 days should be treated as potentially stale. To confirm current status, contact the issuing broker directly or request a newly-issued certificate.
Endorsement gaps are the most common source of disputes in vendor compliance programs. A certificate can check every coverage box and still leave your organization exposed if required endorsements are missing.
Additional insured status extends coverage under the vendor's policy to your organization for claims arising from the vendor's work. Without it, you cannot tender a defense to the vendor's insurer when an incident involves your organization. Additional insured status must be documented in a policy endorsement, not just noted on the certificate face. Common endorsement forms:
Many contracts require both CG 20 10 and CG 20 37. Confirm which forms your contracts specify before reviewing vendor submissions.
Waiver of subrogation prevents the vendor's insurer from pursuing your organization for reimbursement after paying a claim. Must be confirmed via endorsement on each required coverage line (GL, workers' comp, auto) as specified by your contract.
Primary and non-contributory language establishes that the vendor's policy pays first in a shared claim, before your own policy contributes. Appears in policy endorsements and must be confirmed the same way as the items above.
The following conditions require a corrected certificate before approval proceeds:
The following conditions require clarification before approval can proceed but don't automatically result in rejection:
Certificates are issued by brokers on behalf of insurers, not by insurers directly. The certificate is not a policy document. If a certificate indicates endorsements are in place but the endorsement documents cannot be produced, the endorsements control — and the certificate notation alone is insufficient.
Initial approval is the beginning of vendor compliance management, not the end. A structured expiration monitoring program sends alerts at defined intervals before each policy renewal — commonly 60, 30, 15, and 7 days before expiration. The 60-day alert gives vendors time to initiate renewal. The 7-day alert is the final window for active follow-up before a lapse occurs.
When a vendor's coverage lapses during an active engagement, suspend work immediately for high-risk or physical work vendors. Issue a formal notice of non-compliance documenting the lapse date and affected coverage line. Set a resolution deadline, typically 5–10 business days before escalation to contract suspension. A lapse doesn't automatically void the contract, but proceeding with an uninsured vendor transfers the liability exposure to your organization.
Document every compliance decision — approval, rejection, follow-up, lapse notice — with a timestamp and reviewer identification. Auditable records demonstrate due diligence if a claim is disputed.
This checklist addresses the standard commercial lines coverage types and endorsements required in most vendor compliance programs. It does not cover:
This checklist covers certificate completeness, coverage type verification, policy currency, and endorsement confirmation — the four functions that define a defensible vendor approval process. For teams managing more than 25 active vendors, tracking each of those functions manually across every certificate creates the conditions for the gaps this checklist exists to prevent.
bcs automates the collection, verification, and monitoring steps this checklist describes with instant compliance feedback, automated expiration alerts, and a network of 78,000+ pre-vetted vendors. Explore certificate of insurance tracking software built for the full vendor compliance lifecycle, or start free for up to 25 vendors with no credit card required.