COI Tracker

How to Track Vendor Certificates of Insurance

By COI Tracker Team

If you've been told to "track vendor COIs" and you're not sure where to start, this is the practical version: the fields you collect, the renewal cadence, the audit-ready file structure, and the specific moments where most teams quietly stop tracking and just hope.

What "tracking a COI" actually means

A Certificate of Insurance (COI) is a one-page document a vendor's insurance broker generates that summarizes the active policy: insurer, policy number, coverage type, coverage limits, effective date, expiration date, and (often) the entities listed as Additional Insured.

Tracking it means three things, in order of importance:

  1. Knowing it expires — you want to know the expiration date before it expires.
  2. Holding the file — you want the original PDF, not a screenshot, not a forwarded email.
  3. Confirming it meets your requirements — your contract probably specifies minimum coverage; the certificate has to actually meet it.

Anything else (categorizing by trade, tagging by project, integrating with your accounting system) is icing. If you nail those three, you have an audit-ready system.

What to collect from each vendor

Per vendor, you want this set of fields. We've watched dozens of operators settle on roughly this list independently — it's the minimum that works.

  • Vendor name (legal entity name as it appears on the COI, not the doing-business-as)
  • Vendor email (the broker's email is more reliable for renewals than the vendor's directly)
  • Coverage type (General Liability, Workers Comp, Auto, Umbrella — most contracts require multiple types)
  • Coverage limits (the dollar amounts: $1M / $2M aggregate is common)
  • Effective date and expiration date
  • Additional Insured language (does it name you? In what capacity?)
  • Waiver of Subrogation (does the policy include it? Some contracts require it.)
  • The actual PDF

Most teams skip the AI/WOS fields when they start, because checking the language is more work than checking the dates. That's fine for the first year. By the time an insurance audit happens, you'll wish you'd been recording it.

How to store it

Three storage rules, learned the hard way:

1. Hold the original PDF, not a screenshot. A screenshot has no metadata and renders the document non-verifiable. If an auditor asks for proof, a screenshot won't pass.

2. Use private storage, not a shared folder. Drive folders that "anyone with the link" can view will eventually leak. Private storage with short-lived signed URLs is the right model.

3. Name files predictably. vendor-name_coverage-type_yyyy-mm-dd.pdf is the convention most teams converge on. Spaces in filenames cause problems; use hyphens or underscores.

The shortcut: a tool like COI Tracker attaches the PDF directly to the vendor record and serves it through signed URLs by default. You don't manage filenames or folders; the tool does.

The renewal reminder cadence

This is the part that fails in spreadsheets.

The reliable cadence — the one that actually catches lapses — is three reminders per certificate:

  • 30 days before expiration — the renewal-initiation window. Time for the vendor's broker to bind a new policy and issue a new cert. Most renewals happen here.
  • 14 days before expiration — the follow-up window. The brokers who didn't respond the first time are reachable again, and the vendor's office staff has had time to chase it internally.
  • 7 days before expiration — the last-call window. If the cert hasn't arrived by now, you stop work or escalate to a manager.

A single 30-day reminder is not enough. About 30% of vendor brokers don't respond to a single notice; they need a second nudge. A single 7-day reminder is too late — the broker may not have time to bind a new policy.

If you're doing this in a calendar, you'll need three calendar entries per vendor per renewal cycle. That's manageable up to about ten vendors. Past that, you want the tool to fire the emails for you.

How to request a new certificate

The renewal request email is shorter than most people make it. The structure that works:

Hi [Vendor],

Your General Liability certificate on file with us expires on [Date]. Please have your broker send the renewal certificate to this email address before [Date – 7 days]. We'll need:

  • Active GL coverage of at least $1M / $2M aggregate
  • [Your company] named as Additional Insured
  • Waiver of Subrogation in favor of [Your company]

Reply with the new PDF when you have it.

That's it. No greeting, no "hope you're well", no "we appreciate your partnership". The email is doing one job; let it do it.

If you're using a tool, you click "Request Update" and the email goes out from your name, with the vendor's specific expiration date pre-filled. The vendor's reply lands in your inbox, you upload the new PDF, and the cycle starts over.

What an audit-ready system looks like

When the audit comes — insurance carrier, owner, broker, franchise — they want one thing: proof that every active vendor has current coverage.

The audit-ready dashboard answers that in one screen:

  • A row per vendor
  • A status column: Expired / Due / Soon / Safe
  • The expiration date
  • The PDF link

Filter to "Expired" or "Missing." If the list is empty, you pass. If it isn't, you have a punch list.

Spreadsheets can do this, in theory. In practice they don't, because the manual upkeep falls behind the moment something else gets prioritized.

Where teams quietly stop tracking

Three failure modes show up over and over:

  1. The spreadsheet stops getting updated when the operator who maintained it leaves or moves teams. The data freezes; vendors keep coming and going; nobody notices.
  2. Renewals stop firing when the calendar reminders accumulate to where they all get dismissed without reading. Past about ten vendors with rolling renewals, calendar fatigue is real.
  3. The audit prep happens in panic mode, the night before the binder is due. Most of what's missing then is the same data that should have been collected at vendor onboarding.

The pattern is the same: the process failed before the people did. Building a process that doesn't depend on remembering is the actual job.

What to do next

If you're starting from zero:

  1. List every vendor you're contractually responsible for.
  2. For each, request a current COI (use the email above).
  3. As they come in, capture the fields above and store the PDF.
  4. Set up reminder dates for each vendor's expiration.

If you're already partway in:

  1. Audit your existing list against your current vendors.
  2. Add anyone missing.
  3. Confirm every COI on file is still current.
  4. Set reminders for the next 12 months.

If you don't want to manage the reminders manually, COI Tracker is free for up to 3 vendors — enough to test the workflow on a real subset of your data before deciding whether to scale up.

Related reading: The Vendor COI Audit Checklist covers what auditors actually check. What Happens When a Vendor's COI Expires? is the post you want before the lapse, not after.