Certificate of insurance (COI) tracking is the systematic process of collecting, reviewing, and monitoring proof of insurance coverage from contractors, vendors, tenants, and suppliers who perform work for or on behalf of your organization. It covers three core functions: initial certificate collection before work begins, detailed verification of coverage types, limits, and endorsements against contractual requirements, and ongoing monitoring of policy expirations, with renewal requests before coverage lapses.
Without a tracking system in place, organizations face liability exposure from coverage gaps they don't discover until a claim is filed. Risk managers, property managers, procurement teams, and general contractors implement certificate of insurance tracking when vendor volumes exceed what manual review can reliably monitor, typically at or above 25 to 50 active vendors.
Before getting into how each function works, here are the core facts that matter most.
What is a certificate of insurance?
A certificate of insurance is a one-page document issued by an insurance carrier or agent that summarizes a policyholder's current coverage. It doesn't create, modify, or extend the underlying policy—it reports on it. The certificate answers four questions: who is insured, what types of coverage are in force, what the policy limits are, and when the coverage expires.
COI forms are standardized by ACORD, a nonprofit standards organization that serves the insurance industry. The most common forms are:
- ACORD 25 — used for general liability, auto liability, umbrella/excess, workers' compensation, and employers' liability
- ACORD 27 and 28 — used for property coverage
- ACORD 101 — an additional remarks form that captures endorsements and additional insured designations that don't fit on the primary form
Most vendor relationships require an ACORD 25 at a minimum. Construction compliance automation and real estate contexts frequently require all three, along with attached endorsements that modify the base policy terms.
What a COI contains
An ACORD 25 includes the insured's name and address, the insurance producer (agent or broker), the types of coverage in force, carrier names and policy numbers, effective and expiration dates for each coverage line, and the per-occurrence and aggregate limits for each type. It also shows whether an additional insured endorsement is in place, whether a waiver of subrogation applies, and whether the certificate holder will receive notice if the policy is cancelled.
The certificate holder—the party requiring proof of insurance—appears in a dedicated box at the bottom of the form. That designation matters: it signals that the certificate was issued specifically for this relationship, not pulled from a prior filing.
Who issues COIs and who requires them
Certificates are issued by the insured's insurance producer (agent or broker), not directly by the carrier. The insured requests the certificate; the producer generates and delivers it. This matters for tracking purposes because any changes to the underlying policy require a new certificate as the original document doesn't update itself.
Organizations that typically require COIs from vendors include property management companies (from tenants, contractors, and service vendors), general contractors (from subcontractors), corporations (from third-party service providers and suppliers), healthcare facilities (from medical staffing agencies and equipment vendors), and municipalities (from event operators and contractors performing public work).
Why businesses require certificates of insurance from vendors
The core reason is risk transfer. When a vendor, contractor, or tenant causes property damage or bodily injury during work performed for your organization, the question of who pays depends heavily on whether the at-fault party had adequate insurance in force at the time of the incident.
A vendor with active, properly structured coverage means their carrier responds to a claim. A vendor without it—or with a lapsed policy, insufficient limits, or missing endorsements—means the liability exposure can shift to the party that hired them. That's the loss that COI requirements are designed to prevent.
The risk transfer argument
Contractual insurance requirements shift financial risk. When a contract specifies that a vendor must carry $1 million per occurrence in general liability coverage, name your organization as an additional insured, and maintain workers' compensation at statutory limits, those requirements are only meaningful if someone verifies they're actually in place.
The additional insured endorsement is particularly important. Being named as an additional insured on a vendor's policy means your organization can make a direct claim under that policy if the vendor's actions cause you loss. A certificate that says "additional insured" without a corresponding endorsement attached to the underlying policy may not provide the protection it appears to, which is why verification goes beyond reading the face of the COI.
What a lapsed policy actually exposes you to
Coverage gaps occur when a policy expires and no renewal certificate is received, when a policy is cancelled mid-term and the certificate holder isn't notified, or when a vendor replaces their coverage with a policy that has lower limits than the contract requires. In all three cases, the certificate on file may show valid coverage while the actual policy is no longer in force.
What does COI tracking actually involve?
COI tracking is an operational workflow with three distinct phases. Collection tends to be the most consistently executed. Monitoring tends to be the weakest.
The core steps: collection, verification, and monitoring
Collection is the process of requesting and receiving certificates from vendors before work begins or a contract takes effect. It involves identifying which vendors require a certificate, sending requests (typically by email), following up on non-responses, and storing received certificates in a central location. The primary failure mode at this stage is incomplete outreach—vendors who are onboarded without a certificate request, or whose certificates are received and filed without the rest of the workflow being triggered.
Verification is the review of a received certificate against the contract's insurance requirements. This means checking coverage type (is GL present? workers' comp? auto?), per-occurrence and aggregate limits (do they meet the contract minimums?), endorsements (is the additional insured language in place? does a waiver of subrogation apply?), and policy dates (is the coverage active, and does it cover the period of work?). In manual compliance programs, it is common for a certificate to be received and filed without any verification against compliance requirements.
Monitoring is the ongoing process of tracking expiration dates and requesting renewals before gaps occur. This phase is where most manual programs fail. Certificates expire on policy anniversary dates, which vary across a vendor portfolio. Standard practice is outreach at 60, 30, and 15 days before each certificate's expiration date—a cadence that scales with vendor count and requires consistent execution to prevent gaps. Monitoring also includes tracking mid-term policy changes: cancellations, endorsement modifications, and coverage reductions that don't always trigger proactive notification.
Manual tracking vs. automated tracking — where the process breaks down
Manual certificate of insurance tracking typically relies on a combination of email correspondence, spreadsheet logs, and shared drive storage. This approach works at low vendor volumes. It breaks down as vendor counts grow, staff turns over, or renewal windows cluster.
The most common failure points in manual programs are:
- Incomplete vendor lists — vendors who complete work but were never added to the tracking log
- Verification by receipt — marking a vendor as compliant when their certificate was received, without reviewing it against requirements
- Expiration monitoring gaps — certificates that expire without triggering renewal outreach because no one owns the calendar review
- Single-point dependencies — compliance programs where one person manages the spreadsheet, and no process survives their departure
Automated COI tracking platforms address these failure points by centralizing vendor records, standardizing verification workflows, and automating renewal outreach based on expiration dates—removing the human memory dependency that causes most lapses.
What are the consequences of poor COI tracking?
Compliance failures in COI tracking don't produce immediate consequences. The gap between a lapsed certificate and an actual incident can be months or years. That lag is one reason organizations underestimate the exposure—it's invisible until it isn't.
What happens when a vendor isn't covered at the time of an incident
When a vendor causes an injury or property damage while their policy is lapsed, the absence of valid coverage doesn't eliminate the liability. It reallocates it. The injured party still has a claim. The additional insured designation that would have provided direct access to the vendor's policy isn't available if the policy wasn't active—and the organization that hired an uninsured contractor has limited recourse against the vendor and may face direct exposure of its own.
Audit readiness and contract compliance
Beyond incident exposure, COI tracking affects audit readiness and contract compliance. Many commercial contracts—particularly in construction, property management, and healthcare—require the client to maintain records of vendor insurance throughout the contract period. Audits following a loss or contract dispute frequently include requests for COIs on file at the time of the incident.
A compliance program that relies on received certificates without systematic verification and renewal tracking may produce records that satisfy the appearance of a compliance program without satisfying its actual requirements.
What an effective COI tracking program requires
An effective program addresses all three phases of the workflow with defined processes, clear ownership, and a systematic approach to exception handling. The right structure depends on vendor volume, industry-specific requirements, and the complexity of coverage requirements across the portfolio.
Collection and submission process
The collection process needs a defined trigger—when does a COI request go out? Typically, this is at vendor onboarding, contract execution, or the beginning of each policy year. Every vendor who performs work under a contract should be in the tracking system before work begins, not after.
Vendor submission friction affects completion rates. Processes that require vendors to create portal accounts, navigate multi-step upload workflows, or submit through unfamiliar systems produce lower compliance rates than simple, direct submission methods. The harder it is to submit a certificate, the more follow-up the tracking program requires.
Verification standards
Verification requires a written standard—a set of contract-specific insurance requirements that every certificate is measured against. Without a documented standard, verification becomes inconsistent across staff members and vendor relationships. Common verification criteria include:
- Coverage types required (GL, auto, workers' comp, umbrella)
- Minimum per-occurrence and aggregate limits by vendor category
- Additional insured requirement (and whether a separate endorsement must be attached)
- Waiver of subrogation requirement
- Notice of cancellation provisions
Verification also requires knowing the difference between what a certificate says and what the underlying policy provides. A certificate can list an additional insured without the corresponding endorsement being attached to the policy. Reviewing the endorsement—not just the face of the certificate—is the standard that closes this gap.
Expiration monitoring and renewal workflows
Renewal workflows require defined outreach windows. Best practice is outreach at 60 days, 30 days, and 15 days before a certificate expires, with escalation protocols if a renewal isn't received by the expiration date. The specific windows matter less than the consistency—a program that sends one reminder at 30 days is better than one that sends none.
Monitoring also applies to active certificates. Mid-term cancellations and coverage changes are less frequent than expirations, but they represent coverage gaps that occur between renewal cycles. Programs that rely exclusively on expiration date tracking miss these events unless they include periodic status verification or automated carrier notifications.
When COI tracking is not the right solution
COI tracking addresses proof of insurance—it doesn't evaluate the quality, financial strength, or claims history of the underlying carrier. Organizations with vendor risk management requirements beyond coverage verification need additional processes alongside COI tracking.
COI tracking also doesn't replace contract review. A certificate can show coverage that meets the face value of a contract requirement while still leaving gaps—because the contract's insurance language was incomplete, because the endorsement contains limiting language that narrowed the coverage, or because the certificate's coverage type doesn't match the actual risk of the work being performed. Legal review of insurance requirements is a separate function from COI tracking.
For organizations with fewer than 25 vendors and simple, uniform coverage requirements, manual tracking via spreadsheet may be sufficient. The process overhead of implementing automated tracking is an investment that produces the highest return at moderate to high vendor volumes, complex coverage requirements, or both.
Frequently asked questions
Put this into practice
Effective COI tracking requires collection, verification, and ongoing monitoring—and the complexity scales with every vendor you add. bcs automates all three functions, with instant compliance feedback, automated renewal tracking, and a network of 98,000+ pre-vetted vendors already in the system.
Try bcs free—full platform access for up to 25 vendors, no credit card required.
