Vendor Insurance Compliance Checklist

Vendor insurance compliance is one of those operational responsibilities that looks simple from the outside — collect a certificate, file it away — but breaks down consistently in practice. Documents expire quietly. Vendors change carriers without telling you. And no one on your team has time to manually audit 50 vendor files every month.

This checklist covers every stage of the vendor compliance lifecycle: onboarding, ongoing monitoring, and the annual audit. Use it to build a process your team can actually follow — not just during slow periods, but consistently.

Why Vendor Insurance Compliance Matters

The practical risk is straightforward. When a vendor or contractor causes an incident on your property — a worker injury, property damage, a third-party claim — the first question is whether they had valid insurance at the time. If they didn't, your organization steps into the gap.

Courts in most jurisdictions hold property owners and managers to a standard of reasonable care, which includes verifying that contractors carry appropriate coverage before allowing them to work. A compliance gap doesn't just create financial exposure — it creates legal exposure in the event of litigation.

There's also a contractual dimension. Most commercial leases, service agreements, and vendor contracts include insurance requirements. If your process doesn't enforce those requirements consistently, you may be in technical breach of your own contracts.

Required Documents by Vendor Type

General maintenance and service vendors

For vendors performing routine maintenance, cleaning, landscaping, or general facility services, the standard documentation set includes:

Commercial general liability — minimum $1M per occurrence / $2M aggregate
Workers' compensation — statutory limits for your state
Commercial auto liability — $1M combined single limit (if vehicles are used on-site)

Construction and specialty contractors

For contractors performing structural work, electrical, plumbing, HVAC, or other specialized trades:

All of the above, with higher general liability limits ($2M per occurrence / $4M aggregate is common)
Umbrella / excess liability — $2M or higher depending on project scope
Professional liability / errors and omissions — for design-build or engineering work
Additional insured endorsement — your organization named as additional insured on the GL policy

Technology and service providers

For vendors accessing your systems or handling data:

Commercial general liability
Cyber liability insurance — for vendors handling sensitive data
Professional liability / E&O

Additional insured status: Being listed as a certificate holder and being listed as an additional insured are different things. As a certificate holder, you receive notice of policy cancellation. As an additional insured, you have coverage under the vendor's policy if a claim arises from their work. For higher-risk vendors, always require additional insured status.

Vendor Onboarding Compliance Workflow

Establish this as a non-negotiable step before any new vendor begins work.

Vendor Onboarding Checklist

Identify required coverage types and minimum limits based on vendor category

Send insurance requirements to vendor in writing before contract execution

Request certificate of insurance directly from vendor's insurance agent (not the vendor)

Verify all required coverage types are present on the certificate

Confirm coverage limits meet your minimum requirements

Confirm your organization is listed as certificate holder

Confirm additional insured status where required

Record each policy's expiration date in your tracking system

File the certificate with date received and review date noted

Add the vendor to your recurring expiration monitoring schedule

Review Schedule

Insurance certificates are not a one-time collection. Each policy line on a certificate has its own expiration date, and those dates don't stay synchronized between vendors — or even between policies for the same vendor.

Ongoing monitoring

At a minimum, review your vendor compliance status monthly. For organizations with 25 or more vendors, weekly review of upcoming expirations is more appropriate. The goal is to catch upcoming expirations with enough lead time to request a renewal certificate before the current policy lapses.

Expiration triggers

Set a standard contact schedule for every vendor with an expiring policy:

60 days before expiration: Send a courtesy notice reminding the vendor of the upcoming renewal date and your requirements
30 days before expiration: Request an updated certificate and confirm the vendor has initiated renewal with their carrier
7 days before expiration: Escalate if no renewed certificate has been received. Notify the vendor that work will be suspended if coverage lapses
Day of expiration: If no renewal is on file, suspend vendor activity until updated documentation is received

Important: Don't allow a vendor to continue work on the assumption that they've "probably renewed." Until you have a current certificate in hand, the policy may have lapsed. The vendor's assurance that they've renewed is not documentation.

Common Compliance Failures

These are the gaps that show up most often in vendor compliance audits:

Certificates collected but never re-verified. A vendor submits a certificate during onboarding, it gets filed, and no one looks at it again. A year later, two of the three policies have lapsed and the vendor has been on-site throughout.

Only the earliest expiration date is tracked. Teams note the soonest expiration and move on, not realizing that other policies on the same certificate expire at different dates. A vendor can be "active" in your system while two of their four coverage lines have expired.

Accepting certificates directly from the vendor. Contractors occasionally submit altered certificates — with inflated limits or extended dates — to avoid the hassle of dealing with their agent. Requesting certificates directly from the issuing agent eliminates this risk.

No enforcement when coverage lapses. Compliance programs that don't suspend non-compliant vendors effectively train vendors that the requirements aren't real. If the only consequence of an expired certificate is a follow-up email, some vendors will deprioritize renewal indefinitely.

Inconsistent requirements across vendor categories. Requiring the same coverage from a landscaping company as you do from a structural contractor exposes you to arguments about unreasonable requirements. Tiered requirements matched to vendor risk level are more defensible and more practical to enforce.

Annual Audit Process

Once a year, conduct a full audit of your vendor compliance program — not just individual certificates, but the process itself.

Annual Compliance Audit Checklist

Pull a complete list of all active vendors

Confirm you have a current, valid certificate on file for every active vendor

Verify each certificate's coverage types still match current requirements for that vendor category

Verify coverage limits still meet minimums (your requirements may have changed, or the vendor's scope of work may have expanded)

Confirm additional insured endorsements are still in place where required

Remove inactive vendors from your monitoring list

Update your minimum insurance requirements based on any changes to your operations or risk profile

Review your vendor contracts to confirm insurance requirements are still aligned

Confirm your tracking system is capturing all active vendors — no gaps

Document audit completion date and findings

Frequently Asked Questions

How do I know if my coverage requirements are appropriate?

Your own insurance broker is the best resource. Share your vendor list and the types of work they perform, and ask your broker to review your minimum requirements. Requirements that are too low leave you exposed; requirements that are unreasonably high create friction in vendor relationships. Your broker has seen what coverage levels are standard for your industry.

What if a vendor says their carrier won't issue a certificate with those limits?

Ask to see their policy declarations page directly from their carrier. If their actual coverage meets your requirements but the certificate doesn't reflect it, the issuing agent may need to reissue with the correct information. If their coverage genuinely doesn't meet your requirements, you have three options: require them to increase their coverage, reduce the scope of their work to match their coverage level, or find a different vendor.

Are there industries with specific COI requirements beyond the basics?

Yes. Construction, healthcare, educational institutions, and government contractors often have regulatory or contractual requirements that go beyond standard commercial insurance minimums. If your organization operates in a regulated industry, consult your legal counsel on what specific documentation your compliance program should require.

How should I handle vendors who work on multiple properties?

Each property or location should have its own vendor compliance file. A vendor may be compliant at one property and non-compliant at another if their certificate doesn't name all relevant locations or if they let coverage lapse between renewal cycles. Track compliance at the property level, not just the vendor level.

Conclusion

A vendor insurance compliance program only works if it's consistent. The checklist above isn't meant to be run once — it's a repeating process that catches problems before they become incidents.

The organizations that handle this well aren't doing anything complicated. They have clear requirements, a predictable onboarding process, a reliable reminder system, and an annual audit that keeps the whole program honest. The ones that struggle are typically doing it manually and relying on someone to remember to check.

Stop managing compliance manually.

COI Tracker automates certificate collection, expiration alerts, and vendor reminders — so your compliance program runs on its own.

See Plans and Pricing →