- A functioning vendor compliance program runs across five phases: contract review, COI review, approval and filing, ongoing monitoring, and post-termination tail.
- Every phase has specific items to check, and every phase has specific failure modes when items are skipped.
- Automation matters at scale. Manually running this checklist across hundreds of vendors at every renewal is unrealistic; automated systems catch the lapses that human review misses.
Vendor compliance programs fail at the edges. A vendor is onboarded correctly, the certificate is filed correctly, and then twelve months later the certificate expires without a renewal on file — and the client discovers it only when a claim occurs. Or the vendor is onboarded with a compliant COI, but the actual contract requires endorsements the certificate never proved, and no one catches it during the initial review.
This checklist is a field-tested playbook for running a real vendor compliance program at scale. It is not aspirational and it is not exhaustive theory — it is the specific list of items compliance teams actually need to check at each phase of the vendor lifecycle, along with the specific failure modes that show up when items are skipped.
Phase 1: Contract Review — Establish Requirements
Every vendor compliance program starts with the contract. Before a certificate can be evaluated, the requirements have to be extracted, documented, and stored in a form that can be checked against the certificate later.
- Read the insurance requirements clause in full — including any exhibits, schedules, addenda, and referenced attachments.
- Capture required policies: General Liability, Auto Liability, Workers' Compensation, Employer's Liability, Umbrella, Professional Liability, Cyber Liability, Pollution, Crime — whatever the contract lists.
- Capture required limits for each policy, including per-occurrence, aggregate, and any sub-limits.
- Capture required endorsements by form number where specified — CG 20 10, CG 20 37, CG 20 01, WC 00 03 13, etc.
- Capture Additional Insured requirements: which entities, which policies, ongoing vs. completed operations.
- Capture Waiver of Subrogation requirements: which policies, which entities.
- Capture Primary & Non-Contributory requirements.
- Capture certificate holder wording — the exact legal name and address that should appear on the COI.
- Capture notice-of-cancellation requirements (typically 30 days, sometimes 60 or 90 for critical vendors).
- Capture post-termination and completed operations maintenance obligations — how many years coverage must persist after the contract ends.
- Capture carrier rating requirements — typically A.M. Best A- VII or better.
Phase 2: Certificate of Insurance Review
The COI review is the moment where documented contract requirements meet the vendor's actual insurance program. Every field matters.
- Verify the exact legal entity is named as Certificate Holder — not the property manager when the property owner is the required holder.
- Verify each required policy is present with a policy number, effective and expiration dates.
- Verify each limit meets or exceeds the contract requirement — per-occurrence, aggregate, and sub-limits.
- Verify each carrier's A.M. Best rating meets the contract requirement.
- Verify Additional Insured checkboxes are marked on the required policies (GL, Auto, Umbrella as applicable).
- Verify Description of Operations text calls out the required entities as AI, the endorsement form numbers, and any Primary & Non-Contributory or Waiver of Subrogation references.
- Verify Products/Completed Operations aggregate is not blank or excluded.
- Verify Employer's Liability limits are shown separately on the WC line and meet the contract requirement.
- For high-value contracts, request the actual endorsement forms (CG 20 10, CG 20 37, WC 00 03 13, etc.) and verify the named entity matches the contract exactly.
- Verify notice-of-cancellation language and disclosure requirements.
Phase 3: Approval and File
Approving a vendor is a decision, and every decision needs a record. Compliance programs that skip this phase struggle at audit time and during claims.
- Store the COI, endorsement forms, and contract requirements together — not in separate systems.
- Store a record of who reviewed and approved the COI, when, and against what version of the contract requirements.
- Flag any accepted exceptions or waivers in writing — never verbally — and attach them to the vendor's file.
- Set a calendar reminder for the earliest policy expiration date on the COI.
Phase 4: Ongoing Monitoring
Compliance is not a one-time event. Policies expire. Carriers change. Endorsements are dropped at renewal. Vendors add employees or acquire new operations that change the exposure profile.
- Track every policy expiration date and issue a renewal request 30–45 days in advance.
- Re-verify against the current contract requirements at every renewal — not against the prior COI.
- For multi-year contracts, re-evaluate whether the vendor's operations have changed enough to require new coverages or higher limits.
- For contracts with Completed Operations maintenance obligations, maintain the AI endorsement for the required years even after the contract ends.
- Flag mid-term carrier changes and cancellations. A vendor who changes carriers may lose retroactive date continuity on claims-made policies.
Phase 5: Renewal, Exit, and Post-Termination Tail
The last phase of the vendor lifecycle is often the most neglected. Contract requirements do not end when the last invoice is paid.
- For claims-made policies (Professional Liability, Cyber Liability), require a tail endorsement or continuous coverage for the required post-termination period.
- For occurrence-form policies, verify the policy in force at the time of the work is preserved (usually automatic).
- For Completed Operations coverage, verify Additional Insured status persists for the required maintenance window across every renewal.
- Archive the final COI, all endorsements, and the contract file for the applicable statute of limitations or repose.
Common commercial agreements
Running the checklist automatically
CoverageReady runs this checklist automatically for every contract and COI in the system. Contract requirements are extracted with per-clause citations. COIs are parsed into their component fields — checkboxes, limits, effective dates, Description of Operations text, carrier ratings, endorsement references — and compared against each contract requirement individually.
Every requirement is scored: Pass, Broker Review, or Fail — with the source contract clause and the specific COI field attached to each finding. Renewals, tail obligations, and completed operations maintenance windows are tracked as lifecycle obligations that surface at the right time, not just at initial onboarding.
For compliance teams running programs at scale, this means the checklist runs every hour of every day across every vendor — instead of once, at onboarding, by an analyst who then moves on.
CoverageReady scans for the specific trigger phrases, endorsement form numbers, and entity references that indicate this requirement, capturing the exact clause and location within the contract.
Every extracted requirement links back to the highlighted clause in the source contract, so reviewers can verify the AI's interpretation without re-reading the full document.
- Requirement
- The Vendor Compliance Checklist
- Source clause
- Insurance Requirements §5.2
- Match status
- Pending broker review
High-confidence extractions auto-populate the compliance report. Anything below the confidence threshold is routed to broker review with the source clause attached.
- 1Extract every insurance requirement from the contract with a citation back to the source clause.
- 2Parse the vendor's Certificate of Insurance and endorsements into normalized coverage records.
- 3Compare requirements to coverage record-by-record — limits, endorsements, entities, and evidence.
- 4Flag any gap, mismatch, or low-confidence extraction for broker review before finalizing the report.
Frequently asked questions
How often should we recheck vendor compliance?
At every policy renewal, at contract renewal, and whenever a contract materially changes. Programs running claim-driven monitoring only miss lapses between renewal cycles.
What is the biggest failure mode in vendor compliance programs?
Approving a certificate that satisfies the coverage checkboxes but misses the specific endorsement requirements the contract calls for — usually the CG 20 series AI endorsements and Primary & Non-Contributory language.
Do we need to verify endorsements or is the COI enough?
For low-risk vendors, the COI with clear Description of Operations references is usually acceptable. For high-value contracts and higher-risk vendors (construction, mobile services, healthcare-facing), request the actual endorsement forms.
How long do we need to keep vendor compliance records?
At minimum, through the applicable statute of limitations and repose for the type of work performed. Construction and installation work often requires retention for 10+ years.
A functioning vendor compliance program runs across five phases: contract review, COI review, approval and filing, ongoing monitoring, and post-termination tail.
Every phase has specific items to check, and every phase has specific failure modes when items are skipped.
Automation matters at scale. Manually running this checklist across hundreds of vendors at every renewal is unrealistic; automated systems catch the lapses that human review misses.
Related resources
Continue building expertise with hand-picked references across the CoverageReady Knowledge Center.
- Automatic contract-to-COI matching across every requirement.
- Lifecycle tracking for renewals, tails, and completed operations chains.
See it working on your own contract
Upload a contract or COI and CoverageReady will extract the requirements, compare them to your active certificates, and flag every gap — with citations back to the source.
CoverageReady provides AI-assisted extraction, organization, and compliance tools designed to help users review commercial insurance requirements more efficiently. CoverageReady does not provide legal advice, insurance advice, or policy interpretations. Users should always consult qualified legal counsel or insurance professionals when making contractual or coverage decisions.