Sooner or later, somebody is going to ask you for proof. It might be a lender doing a refinance review. It might be your own insurance carrier scoping next year's policy. It might be a property buyer doing due diligence. It might be your internal accounting team during a year-end close.

Whichever it is, the question is roughly the same: "show me that the vendors working on your property are insured, that they've been insured the whole time, and that you've been keeping track."

This post is the checklist. It's not a hypothetical — every item has bitten somebody real. If you can answer "yes" to all of these on demand, you'll pass any reasonable audit. If you can't, this is the prep work to do before you're under the gun.

Who this is for

Property managers, GCs, facility managers, and ops leads who track vendor COIs and are facing — or might face — an audit, a lender review, an insurance renewal, or a property due-diligence pass. Big enterprise compliance teams have their own playbooks; this is the practical one for a five-to-fifty-vendor operator.

If a deal is in flight or an audit notice already arrived, work straight down the list. If you're prepping in advance, do one section a week.

What auditors actually ask for

Before the checklist, here's the surprising part: most audits don't ask for every certificate ever issued. They ask three questions and the rest is theater.

Question 1 — coverage in force right now. Is every active vendor currently covered, in the right amounts, on the right policies? This is the easy one. A clean spreadsheet or a screenshot of your tracking tool's dashboard answers it.

Question 2 — coverage in force for a specific past date. "On March 14th of last year, was Acme Plumbing covered? Show me the certificate." This is the question that breaks weak tracking systems. If your spreadsheet only stores the current certificate and overwrites the previous one on renewal, you cannot answer this question. The auditor learns that you don't have an audit trail, which is a finding all by itself.

Question 3 — process when a certificate lapses. "What happens when a vendor's coverage expires? Walk me through what you do." A documented process — even a one-pager — is usually enough. Without one, the auditor concludes you don't have a process, and any past lapse is treated as proof.

The checklist below covers all three.

Section A — Current state (do this monthly)

These are the items that prove "coverage in force right now." Audit or no audit, run through this list once a month. It's the cheapest insurance you can buy.

Active vendor list is current. Vendors no longer working on the property are marked inactive or removed. A bloated list with ghost vendors is a red flag — it suggests nobody's been minding the file.
Every active vendor has at least one COI on file. A vendor with no certificate at all is the most common audit finding and the easiest one to fix: ask for it.
Each COI lists the right insured entity. "Right" means the legal name of your operating entity (the LLC, the trust, the corporation), spelled correctly, with the right address. A certificate naming a different entity is functionally worthless. This is the silent killer — a stack of certificates that all look fine but were issued to the wrong company.
Each COI names you (or your entity) as additional insured where required. A property manager managing on behalf of an owner usually needs both the manager and the owner named. Read the certificate carefully — "Certificate Holder" is not the same as "Additional Insured", and only the latter actually transfers risk.
Coverage limits meet your contractual minimums. If your vendor agreements require "$1M per occurrence / $2M aggregate" on general liability, every GL certificate must show at least that. Below-minimum coverage on file is a finding even if the vendor never causes a claim.
Each COI is currently in effect. Effective date in the past, expiry date in the future. Any expired certificate must be either renewed or the vendor must be put on hold until they renew.
Each COI's coverage type matches what the vendor actually does. A landscaper with only general liability and no auto coverage is under-insured if they drive a truck onto the property. Match the coverage to the work.
Workers' compensation is on file for any vendor with employees in the U.S. Even single-person LLCs sometimes need WC depending on the state. When in doubt, require it.
Waiver of subrogation is in place where your contracts require it. Without a waiver, the vendor's insurer can sue you after paying a claim. Most commercial vendor agreements require waivers; most certificates don't show them by default. Check the box specifically.
Each PDF is openable and stored where you can find it. A spreadsheet entry that points to a file on a former admin's laptop is no different from no certificate at all.

That's the monthly hygiene. Skipping a month at fifty vendors leaves you about ten certificates behind. Skipping a quarter is how audits get failed.

Section B — Historical state (build this once, maintain it forever)

This is the piece most spreadsheets fail at. To answer the "coverage on a specific past date" question, you need a real audit history.

Every certificate ever filed is preserved. When Acme Plumbing renews their policy, the new certificate goes into the system as a new row, not as an update to the old one. The old one is marked superseded but stays on file.
Each historical certificate has its effective date and expiry date intact. No overwriting. No "we'll update the dates when we get the new one."
Each historical certificate's PDF is preserved. Same logic. A historical row that points at a missing PDF is half a record.
Gaps in coverage are documented. If a vendor's GL coverage lapsed for 11 days between policies, the gap exists in your records. Pretending it didn't happen is worse than acknowledging it — auditors check, and a clean record next to a known gap is more credible than a suspiciously perfect record.
The audit trail is one query away. "Show me Acme Plumbing's coverage on March 14, 2025" should produce a list of every active certificate on that date in under a minute. If it takes longer, the audit trail is broken.

For most operators, getting this right means moving off a single-row-per-vendor spreadsheet structure. The certificate is the unit of record, not the vendor. One vendor with three coverage types over five years has fifteen certificates on file. That's a lot for a spreadsheet to maintain by hand. It's trivial for software.

Section C — Process documentation (write this once, update as needed)

The third question — "what happens when a certificate lapses?" — is the easiest to fail and the easiest to fix.

You need a written, dated, one-page process document. It can be in a Google Doc, in a wiki, in your operations manual, or in the README of your tracking system. Auditors don't care about the format; they care that it exists and is followed.

The process doc should answer:

Who tracks vendor COIs. A name, not a department.
How often the list is reviewed. Weekly is overkill for most; monthly is the floor.
When reminders are sent to vendors. Most operators run on a 30/14/7-day cadence — three reminders before expiry. Document the cadence even if your system runs it automatically.
What happens when a vendor doesn't renew on time. Stop work? Hold payment? Escalate to the owner? Pick a policy. "We figure it out case by case" is not a policy.
Who has access to the file. If only one person can edit the COI tracker, what happens when they leave? A backup is required.
How long historical certificates are retained. "Forever" is the safest answer. "Seven years from policy expiry" is the legally defensible minimum in most U.S. jurisdictions.
How a vendor gets onto the active list in the first place. Onboarding usually requires a current COI before work starts. Document the gate.
How a vendor gets removed. Same logic — when does an inactive vendor get archived?

A process doc that is followed in practice is worth more than a perfect-on-paper process that nobody actually runs. Auditors can tell the difference within five minutes of conversation.

Section D — Pre-audit prep (one week before)

If an audit is on the calendar, here's the week-of checklist:

Pull a coverage-as-of report for the audit's effective date. If the auditor asks for state as of March 1, 2026, you should be able to produce a list of every vendor and their coverage status on that exact date. Most modern tracking tools generate this in a click.
Check for any expired-but-not-renewed certificates. Renew them before the audit if possible; document the renewal-in-progress status if not.
Verify every PDF link works. Click through a sample of 10–20 certificates. Broken links are the most common embarrassment during an audit walkthrough.
Print or export a clean cover page with date of report, total active vendors, total active certificates, total expired in the last 12 months, total renewed within their reminder window. This summary frames the auditor's first impression.
Brief any colleague who might be in the room. Make sure the answer to "who tracks COIs here?" is the same name from two different mouths.

Common audit findings (and how to avoid them)

After enough audits, the same problems show up:

"Insured entity name doesn't match the contract." Fix at intake — don't accept a certificate with the wrong name. Send it back, ask for a corrected one.
"Additional insured wording is generic." "Per written contract" is OK on most certificates; specific wording is sometimes required. Read your contracts.
"Coverage limits don't meet contract minimums." Track contract minimums per vendor type, not just per vendor. Plumbers and landscapers often need different amounts.
"Gap in coverage between policies." If you can't avoid the gap, document the date the new certificate arrived and the steps taken during the gap (no work performed, etc.).
"No record of certificates from prior years." This is the audit trail problem. Section B fixes it.
"Process exists but was not followed in N% of sampled cases." This is the worst finding because it's true. The fix is process automation — reminders that fire whether you're in the office or not.

Frequently asked questions

How far back do auditors typically go?

For lender or insurance audits, usually one to three years. For property due-diligence reviews during a sale, sometimes the full ownership period. For internal accounting close-outs, usually one fiscal year. Plan for three years as a defensible default.

What if I have a gap in my records?

Acknowledge it, don't hide it. Most auditors understand that perfect historical tracking starts when somebody decides to track perfectly — they're more interested in your process going forward than punishing past gaps. What they punish is the appearance of cover-up.

Do I need a downloadable PDF for every certificate?

Yes, in practice. A row in a spreadsheet that says "Acme Plumbing GL, expires 2026-09-14, $1M/$2M" is not enough. Auditors want to see the actual document. The certificate is the legal record; the spreadsheet is just the index.

Is a Certificate of Insurance enough on its own?

For most commercial vendor work, yes — combined with an indemnification clause in the master service agreement. For high-risk vendors (anyone doing structural work, hot work, or operating heavy equipment), some operators also collect a copy of the actual policy declarations page. That's belt-and-suspenders, not always required.

How long should I keep certificates after a vendor stops working with me?

Seven years from the last expiry is the standard answer in most U.S. jurisdictions, matched to the statute of limitations on common construction-defect claims. Some operators keep them indefinitely; storage is cheap. The wrong answer is "we delete them when the vendor leaves" — past claims can surface years later.

Can I do all of this in a spreadsheet?

You can. The constraint is discipline, not capability. The structure has to be one-certificate-per-row (not one-vendor-per-row), with no overwriting on renewal. Most teams give up on the discipline part somewhere around the fortieth row, which is when the audit history starts having gaps. If you've already been bitten by this, tooling helps.

Track your first 5 vendors free, with a built-in audit history of every certificate that's ever been on file. COI Tracker keeps every renewal as a separate record, sends 30/14/7-day reminders, and produces an audit-ready report when a lender or insurer asks. Free for your first 5 vendors. Starter is $9/mo for 50 vendors; Growth is $19/mo for 200, with PDF compliance reports on Pro at $29/mo. → Get started · See pricing

Written by the COI Tracker team. We build tools for small property managers, general contractors, and operations leads who are one lapsed vendor away from a very bad Tuesday.