A vendor insurance compliance checklist is a structured set of requirements that defines the insurance coverage a vendor, contractor, or supplier must carry before beginning work, and specifies the certificates of insurance (COIs) and supporting documentation your organization needs to collect, verify, and monitor throughout the engagement.
It covers five core areas: required insurance types, minimum coverage limits, mandatory endorsements, documentation standards, and an ongoing monitoring process for expirations and mid-term policy changes.
Without a formal checklist, organizations can’t consistently confirm whether a vendor's coverage matches their contract requirements, which means liability gaps go undetected until a claim surfaces. Risk managers, procurement teams, property managers, and general contractors implement this process whenever they engage outside parties who could expose the organization to liability from injury, property damage, or professional errors.
Teams managing this process manually often turn to COI tracking software to automate collection and expiration monitoring at scale. This guide walks through each component of a complete certificate of insurance tracking program — from required coverage types through the ongoing monitoring workflow. Before the full checklist, six things worth knowing before you build or audit your program.
Vendor insurance compliance has two distinct phases. The onboarding phase covers initial collection and verification before work begins, while the ongoing phase covers expiration monitoring, renewal tracking, and mid-term policy changes during the engagement.
A vendor who was compliant at onboarding may not be compliant six months later if a policy lapses or coverage limits change.
The coverage types below apply to the majority of vendor relationships. Specific requirements vary by vendor risk profile, industry, and contract terms — but these form the baseline for most compliance programs.
General liability (GL) insurance covers third-party claims for bodily injury and property damage arising from the vendor's operations, products, or completed work. It is the foundational coverage requirement for any vendor who performs work on your premises, handles your property, or has physical contact with your operations. GL policies include two limit structures to verify: the per-occurrence limit and the aggregate limit. Both figures should appear on the certificate and be confirmed against your contract minimums.
Workers' compensation insurance covers medical costs and lost wages for employees injured on the job. It applies to any vendor who sends workers to your location or performs work on your behalf. Workers' comp requirements are governed by state law and vary by jurisdiction.
Commercial auto insurance covers liability from the use of vehicles in the course of business, such as vendor vehicles traveling to your site, making deliveries, or transporting equipment and materials. Personal auto policies typically exclude business use, which is why a separate commercial auto requirement is standard for any vendor who drives as part of their work.
Umbrella or excess liability coverage sits above primary GL, commercial auto, or employers' liability limits and activates when underlying coverage is exhausted. It is commonly required for vendors with significant on-site presence, large contract values, or elevated risk profiles.
Professional liability insurance — also called errors and omissions, or E&O — covers claims arising from professional services, advice, or design errors. It applies to vendors who provide expertise, recommendations, software, or deliverables your organization relies on, rather than physical on-site work. It is commonly required of vendors providing software development, architecture, engineering, consulting, or design services — any engagement where a deliverable or recommendation creates business or financial exposure if it contains errors.
Depending on the nature of the work, some vendor relationships require coverage beyond the standard types above. Common examples include:
These requirements should be defined in your vendor contracts and reflected in your compliance checklist by vendor category.
Coverage requirements are not one-size-fits-all. Most compliance programs establish tiered minimums based on the risk level of the vendor's work.
The specific minimums in your program should reflect your contract terms and the exposure profile of each vendor category — what follows is a common starting framework, not a universal standard.
These are general guidelines. Requirements vary by state, so they should be reviewed and adjusted by your organization’s risk manager, broker, or legal counsel to reflect your specific operations and jurisdictions. You can also read the State-by-State Certificate of Insurance Guide.
A vendor's insurance carrier or broker issues a certificate as evidence of coverage. The certificate is the primary document you'll collect, but it's not the only one required for a complete compliance file.
The ACORD 25 is the standard certificate of insurance form used to document GL, commercial auto, umbrella/excess liability, workers' compensation, and employers' liability coverage. Reviewing a certificate of insurance means confirming each field against your requirements, not just confirming that a document was received (this is overlooked far too often by risk management teams).
Most vendor contracts require the hiring organization to be named as an additional insured on the vendor's GL policy. An additional insured endorsement is a separate document from the ACORD 25, issued by the carrier, not the broker. The certificate may reference the endorsement, but the endorsement itself is what truly provides the coverage extension. Your compliance process should confirm that the endorsement is carrier-issued and matches your contract's additional insured language requirements.
Primary and noncontributory (P&NC) language specifies that the vendor's coverage pays first in a shared claim — before your organization's own insurance responds. Requiring P&NC language is standard practice in construction and property management contracts. If your contracts include this requirement, verify that it is explicitly reflected in the endorsement, not just on the certificate face.
A waiver of subrogation prevents the vendor's insurer from seeking reimbursement from your organization after paying a claim on the vendor's behalf. Like the additional insured endorsement, it may appear on the ACORD 25 or require a separate carrier-issued endorsement.
Before work begins, request a certificate of insurance directly from the vendor or their insurance broker. The request should specify exactly what coverage is required — types, limits, endorsements, and any project-specific requirements — so the vendor can confirm or close gaps before submitting. Certificate submission as a prerequisite for vendor approval is the structural control that prevents work from beginning before gaps are resolved.
Once the certificate is received, verify each required field against your vendor compliance checklist: coverage types and limits, policy dates, certificate holder listing, required endorsements, and named insured against the contracting entity. Flag discrepancies immediately — a certificate that partially meets requirements fails compliance until every gap is closed.
Vendors whose certificates pass verification are approved to begin work. Vendors with gaps receive a specific remediation request listing exactly what is missing. Define the timeline upfront: an open-ended remediation loop with no deadline creates the same gap as no process at all.
Compliance at onboarding is not the same as compliance throughout the engagement. Policies expire. Coverage can lapse mid-project. Ongoing monitoring means tracking expiration dates and requesting updated certificates before coverage ends — typically at 60, 30, and 7 days before expiration. For organizations managing more than a small, stable vendor roster, expiration monitoring is where manual COI tracking most commonly breaks down. Staggered expiration dates and high vendor volumes create a gap rate that spreadsheets can't reliably control.
Even well-designed programs have recurring failure points:
This checklist covers standard elements of a vendor insurance compliance program. It does not address:
For teams managing more than a handful of vendors, running this checklist manually across spreadsheets and email threads creates the exact exposure it's designed to prevent.
bcs COI tracking software automates collection, verification, and expiration monitoring across your full vendor roster — with a network of 78,000+ pre-vetted vendors and no-login certificate submissions that reduce the collection friction your vendors experience.
Start free for up to 25 vendors. No credit card required. And you’ll enjoy all the benefits of premium access.