COI Tracking for Small Property Managers: A Practical Workflow

If you manage a small portfolio — say, two to twenty properties — your vendor list is large enough to matter and small enough that nobody on staff is dedicated to compliance work. The COI tracking falls to whoever has time. Often that's you.

This post walks through a workable monthly rhythm for tracking vendor insurance, the way a small property management shop actually does it. Not what an enterprise compliance team does. Not what a one-property landlord does. The middle band — five to fifty vendors across a handful of properties, and one to three people sharing the load.

Who this is for

Property managers running between two and twenty properties (residential, commercial, or mixed). Vendor list of roughly five to fifty active vendors — plumbers, electricians, HVAC, landscaping, pest control, cleaning, painting, snow removal where relevant. One to three people share access to vendor records. Audit pressure ranges from "occasional lender ask" to "annual carrier review."

If you have a hundred-vendor list across a hundred properties, you've outgrown this post. If you have one rental and one handyman, you've under-grown it.

The four-part workflow

The work is on four cycles that run in parallel:

1. Vendor onboarding — what happens when a new vendor starts.
2. Monthly review — the rhythm that keeps the file clean.
3. Renewal flow — what happens 30 days before each expiry.
4. Audit-ready check — a quarterly self-audit that simulates an external one.

Skip any one of these and the system breaks within six months. Skip the renewal flow and lapses pile up. Skip the monthly review and the active list drifts. Skip vendor onboarding and bad data enters the file. Skip the audit-ready check and you only learn about gaps when an outsider points them out.

Cycle 1 — Vendor onboarding

A new vendor starts on a property. Before they touch tools, you need their COI. The friction point is that vendors hate paperwork and will start work before sending the certificate if you let them.

The workable rule: no work before the COI is on file. This is unpopular for one quarter and then nobody fights it.

The process:

1. Send the request. When the vendor agreement is signed, your first email asks for "a current Certificate of Insurance, with [your entity legal name] listed as Additional Insured, [your entity address] as Certificate Holder, minimum $1M per occurrence / $2M aggregate on general liability, plus workers' compensation if the vendor has employees." Be specific. A vague request gets a vague certificate.
2. Verify on receipt. When the certificate arrives, check (a) your entity is named correctly, (b) the limits meet your minimums, (c) the effective date is in the past (or starts on the contract date), and (d) the expiry is at least 60 days out.
3. File and log. Save the PDF where you can find it later. Log the vendor, the coverage type, the effective and expiry dates, the policy number, and the insurer. A spreadsheet works for this; a tracking tool automates it.
4. Set the reminder. The expiry date triggers your 30-day renewal reminder. Spreadsheets don't fire reminders; pick a system that does.

Three things go wrong at this stage in roughly equal measure:

• The certificate names a different entity. The vendor's broker filled in the wrong customer. Send it back.
• The limits are below your minimums. Common with one-person LLC vendors. They'll need to upgrade their policy or you decline the work.
• The vendor asks "do I really need this?" The answer is yes. Have one polite, prepared response ready, send it, and don't negotiate.

Cycle 2 — The monthly review

Once a month, ideally on the same Tuesday or Thursday every month, you sit down for thirty minutes and do this.

Step 1 — Check the dashboard. Look at every vendor's certificate state. Anything in the "expiring in 30 days" bucket is the renewal queue (cycle 3 — see below). Anything already expired needs action today. Anything missing — vendor on the active list with no certificate at all — is the highest priority of the month.

Step 2 — Update the active list. Vendors no longer working with you get marked inactive. Don't delete them — keep the historical certificates intact. Just remove them from the "active" view so the dashboard doesn't lie about what's covered.

Step 3 — Reconcile against accounts payable. Pull a list of vendors paid in the last 90 days. Compare to your COI tracker. Any vendor you've paid recently who isn't on the COI tracker is a gap. Often this catches one-off vendors who were brought in for a specific job and never properly onboarded.

Step 4 — Note anything weird. A certificate from a carrier you've never seen before? An effective date that doesn't make sense? A vendor's email bouncing? Write it down. Most of these are nothing; some are early signs of a vendor in trouble.

This is half an hour a month. It's the single highest-leverage thing you can do for vendor compliance, and it's the thing that gets skipped first when you're busy.

Cycle 3 — The renewal flow

Thirty days before each certificate expires, the work begins.

Day -30 — First reminder. Email the vendor: "Your [coverage type] expires on [date]. Please send a current certificate when renewed." Polite, specific, no pressure.

Day -14 — Second reminder. Same email, slightly firmer. "We haven't received the renewed [coverage type] yet. It expires on [date]; please send the updated certificate by [date - 7]."

Day -7 — Third reminder, plus internal escalation. Same email to the vendor, and a flag in your own dashboard that this vendor is on the verge of a gap. If the vendor is doing active work, decide what happens at expiry — pause the work, withhold the next payment, or accept a verbal "we're working on it" from a vendor you trust deeply.

Day 0 — Expiry. The old certificate is now expired. If the new one hasn't arrived, the vendor is technically uninsured for any work they do today. Most operators stop work at this point. Some give a 7-day grace period for vendors with a known-good track record.

Day +X — New certificate received. When the renewed certificate arrives, it goes into the system as a new certificate, not as an update to the old one. The old one stays on file with its dates intact (for audit history); the new one becomes the active record.

This is the cycle most spreadsheets fail at. A spreadsheet doesn't email anyone; it just sits there with a colored cell. Either you build the email-reminder workflow yourself (Outlook reminders, Calendly, a personal cron job) or you use a tool that does it as a feature.

Cycle 4 — The quarterly self-audit

Once a quarter, simulate an external audit. Pretend a lender just emailed asking for proof of vendor compliance, and you have until end of business tomorrow.

Pull a coverage-as-of report for today. Every active vendor, their certificates, their effective and expiry dates, their insurer, their policy number. If your tool can generate this in one click, you're audit-ready. If you have to hand-build it from a spreadsheet, that's the gap to fix.

Pull the same report for 90 days ago. This is the audit-trail check from the audit checklist post. If you can't reconstruct the state of compliance from a quarter back, your tracking system isn't preserving history correctly.

Flag exceptions. Anything missing, anything expired, anything with the wrong insured entity name. Fix what you can fix today; document what you can't.

Save the reports. Even if no audit is coming, the act of producing the reports each quarter creates a paper trail of your own. When an audit does come, you'll have four prior quarters of evidence that you've been doing this work consistently.

This is the cycle that converts "we have COI tracking" into "we have audit-ready COI tracking" — and the difference matters every time you face a real audit, refinance, or property sale.

What goes wrong (and what to do about it)

A few failure modes show up reliably across small property management shops:

The "I'll get to it tomorrow" lapse. A vendor's certificate expires on the 14th. You meant to follow up. Other things happened. Three weeks later, you remember. By that point, the vendor has done work uninsured. Fix: automate the reminders so they fire whether or not you remember. The whole reminder cadence above is the structural fix; willpower isn't.

The mystery vendor. A vendor you've been paying for six months isn't in your COI tracker. Somebody — maybe your assistant, maybe a tenant — brought them in for a one-off job and they stuck around. Fix: monthly AP reconciliation (cycle 2, step 3). Always.

The wrong-entity certificate. A vendor's broker filed the certificate under the previous owner's name, or under your management company's name when it should be under the property's LLC. Fix: spot it on receipt, send it back. Don't accept "close enough."

The shared inbox problem. Vendor request emails go to a generic info@ or office@ mailbox; nobody owns the renewals. Fix: a dedicated email or alias for COI work, with one named person responsible. Even if it's the same person who reads info@, the dedicated address makes responsibility legible.

The departing admin. Whoever has been running the COI workflow leaves. Their replacement inherits a sheet they don't understand and a vendor list with stale entries. Fix: a one-page written process (per the audit checklist) plus a tracking tool with a documented UI rather than a hand-rolled spreadsheet. The tool survives the personnel change.

The minimum viable system

If you're starting from scratch, here's the smallest workable setup:

1. One source of truth for the vendor list. Spreadsheet, database, SaaS — pick one and stick to it. Don't run "the master list" in two places.
2. One certificate per row. Not one row per vendor with columns for each coverage type. One row per certificate, full stop.
3. Effective date and expiry date in proper date columns. Not text. Sortable, filterable.
4. A PDF link per row. Even if the PDF lives on Google Drive or Dropbox, the link must be in the row. Lost PDFs are functionally lost certificates.
5. An email reminder system that fires 30/14/7 days before each expiry. Whether DIY or via a tool. The reminder is the product.
6. A monthly review on the calendar. Half an hour. Same day every month.
7. A quarterly self-audit. Even a casual one. Even if just for yourself.

That's it. Tools and process beyond this are nice-to-have. Don't over-engineer until you're consistently doing the seven things above.

Frequently asked questions

How many vendors before I need a real tool?

Most small property managers can run on a careful spreadsheet up to about ten active vendors. Past that, the reminder problem makes spreadsheets unreliable. Different operators draw the line in different places, but ten is the median.

What about subcontractors of my vendors?

If your contracts require general contractors to ensure their subs are insured (most do), you might or might not want copies of the subs' certificates yourself. Industry practice is mixed. The conservative approach is to require the GC to maintain its own COI tracking and audit them annually. Tracking every sub yourself is enterprise-level work and not worth it at this scale.

Do I need certificates from one-time vendors?

Yes. A handyman who comes by once for a small job is the most common source of an uninsured-incident claim. The friction is real, but the alternative is worse. If the vendor refuses or can't produce a COI for a one-off job, the work doesn't happen.

How do I handle a vendor who works across multiple properties?

One vendor, one set of certificates — the certificates cover the vendor's work generally, not work on a specific property. Track at the vendor level. Note which of your properties they actively work on as a separate field for your own records.

What software do property managers use for this?

Two camps. Enterprise property management platforms (Buildium, AppFolio, Yardi) include COI tracking as a sub-feature, but they're $50–200/mo and most of the cost is the property management software you may not need. Standalone COI tracking tools (myCOI, CertFocus, COI Tracker) focus only on vendor compliance and run from $0–29/mo at the small-business end. The right pick depends on whether you also need the property management features bundled. If you already use a different PM tool, a standalone tracker is usually cheaper and better.

What if a vendor has insurance but won't send the certificate?

Almost always means the vendor's broker is slow, not that the vendor is hiding something. Email the vendor's broker directly with the request — most brokers respond within 24 hours when prompted. If the vendor refuses to involve their broker, treat that as a flag.

Should I require waivers of subrogation?

For commercial work, yes. A waiver of subrogation prevents the vendor's insurer from suing you after paying a claim. Most commercial vendor agreements should require it; most certificates don't show it by default. Ask specifically when requesting the certificate.

---

Track your first 5 vendors free across however many properties you manage. COI Tracker sends 30/14/7-day reminders automatically, lets you request renewals from any vendor in one click, and keeps an audit-ready history of every certificate that's ever been on file. Free for your first 5 vendors. Starter is $9/mo for 50 vendors; Growth is $19/mo for 200 — most small property managers land on Starter or Growth depending on the size of their vendor list. → Get started · See pricing

Written by the COI Tracker team. We build tools for small property managers, general contractors, and operations leads who are one lapsed vendor away from a very bad Tuesday.