How to Track Certificates of Insurance: 2026 Complete Guide
What to capture, what to validate, why endorsements matter more than the cert page, and the 7-step process operations teams use to maintain 90%+ vendor compliance.
$165K+
Average lawsuit cost from one uninsured vendor incident
60–70%
Compliance rate for spreadsheet-based COI tracking
90%+
Compliance rate with automated COI platforms
5 yrs
Recommended COI document retention period
COI tracking is one of those tasks that nobody really owns. The risk team knows it matters. Accounts payable pays the invoices either way. Project managers just need vendors on site. Then something goes wrong, and suddenly it is the only thing that matters. This guide walks through what every COI should capture, why the additional insured endorsement matters more than the cert itself, and the 7-step process operations teams use to keep their vendor compliance above 90 percent.
- A Certificate of Insurance is informational. The policy endorsements are what legally extend coverage to you.
- CG 20 10 (ongoing) and CG 20 37 (completed operations) are the two endorsements that matter for general liability additional insured.
- Spreadsheet-based COI tracking achieves 60–70% compliance. Automated platforms reach 90%+.
- Best practice is to start renewal requests at 60 days before expiration, with automated reminders to both vendor and your team at 90/60/30/7 day intervals.
- Retain COIs at least 5 years after project completion. Latent claims surface long after the work ends.
Every COI field that needs to be captured
Spreadsheet-based COI tracking typically captures 4–6 of these. Audit-ready programs capture all 15.
| Field | Why it matters |
|---|---|
| Producer (broker) name + contact | Where to follow up if cert is wrong - the broker, not the insured |
| Insured name (must match contract exactly) | Mismatched legal entity is the #1 reason claims get denied |
| Carrier name + AM Best rating | Many master agreements require A- or better - track and enforce |
| Policy number per coverage line | Allows direct verification with the carrier in a claim |
| Effective + expiration dates per line | Drives the renewal alert schedule (90/60/30/7 days) |
| GL each-occurrence limit | Most owners require $1M minimum; high-risk work requires $2M+ |
| GL aggregate limit | Per-project aggregate (CG 25 03/04) prevents one project consuming aggregate |
| Auto liability limits | Required if vendor drives on-site or transports goods |
| Workers' comp coverage state-by-state | WC is state-specific; cert must show coverage in your state |
| Umbrella / excess limits | High-tier work or contracts > $1M typically require $5M+ umbrella |
| Additional insured language on the cert | Indicates intent - but the endorsement is what binds coverage |
| Endorsements (CG 20 10, CG 20 37, CA 20 48) | The legal mechanism that actually extends coverage to you |
| Waiver of subrogation | Required by most master agreements; often missing in error |
| Primary and non-contributory clause | Ensures vendor coverage applies first, before yours |
| Cancellation notice provision | 30-day notice common; without it, you find out at the next renewal |
The 7-step COI tracking process
Operationalize this once. Maintenance becomes near-automatic.
Define your insurance requirements per vendor type
Write your standing requirements in plain English: minimum GL, auto, WC, umbrella by category. Differentiate by risk: a janitorial vendor and a roofing contractor should not have the same minimum. Add carrier rating floors (typically AM Best A- or better) and required endorsements (additional insured, waiver of subrogation, primary/non-contributory).
Set up a vendor portal (or forwarding address)
The biggest mistake is asking vendors to email COIs to a generic inbox. They get lost, attached to wrong threads, never logged. Use a dedicated upload portal or a forwarding email like coi@yourcompany.com that automatically files the cert into the vendor's record.
Validate every cert against your requirements
A cert with $500K GL when you require $1M is non-compliant the moment it lands. Validation should happen automatically: parse the cert, compare each field against your rules, flag any deficiency, and notify both your team and the vendor before approval.
Capture additional insured endorsements separately
The cert page is informational. The endorsement (CG 20 10 for ongoing operations, CG 20 37 for completed operations) is what legally extends coverage to you. Capture both as separate records on the vendor file. Without the endorsement, additional insured status can be denied at claim time even though the cert listed your entity.
Set 90/60/30/7-day renewal reminders
Reminders should fire to both the vendor and your team. Best practice is to start the renewal request at 60 days out: brokers can be slow, carriers can change, and you want buffer for delays. Reminders that only go to your team perpetuate the chase; reminders that go to the vendor put renewal action where it belongs.
Run quarterly compliance reports for risk and AP
Pull a list of every active vendor with current compliance status, expiring certs in the next 30 days, and any vendors operating with stale or insufficient coverage. Share with your insurance broker, AP team, and project managers. This is also your audit log if your own carrier ever asks.
Retain certs for at least 5 years post-project
Latent claims (especially completed-operations) can land years after the project ends. Retain all certs and endorsements for at least 5 years from project completion. ExpiryEdge defaults to indefinite retention with timestamped audit trails.
Want this fully automated?
ExpiryEdge runs the whole 7-step process automatically: AI parses each cert, validates it against your insurance requirements, captures additional insured endorsements separately, and runs the full 90/60/30/7-day reminder cadence. See how COI tracking works in ExpiryEdge →
Frequently asked questions
What buyers, brokers, and risk teams ask about COI tracking.
What is a Certificate of Insurance (COI)?
A Certificate of Insurance (COI) is a one-page document from a broker or carrier that proves a business currently has active insurance. It lists the insured business, the carrier, the policy numbers, the start and end dates, and the coverage limits for each type (general liability, auto, workers comp, umbrella). The standard form is called ACORD 25. The COI is just proof - it is not the policy itself, and it does not extend any coverage to you. The actual policy and any endorsements are what bind the coverage.
What is the difference between a COI and additional insured status?
A Certificate of Insurance just tells you the vendor has coverage. Additional insured status is what actually extends that coverage to protect your business if something goes wrong. The COI page may show "additional insured" in the description box, but the real protection comes from a policy endorsement. For general liability, that is usually CG 20 10 (for ongoing work) or CG 20 37 (for completed work). For auto, it is CA 20 48. Good COI tracking captures both the certificate AND the endorsement.
What insurance limits should I require from vendors?
Standard minimums for low- to medium-risk commercial vendors: General Liability $1M per occurrence / $2M aggregate; Auto Liability $1M combined single limit; Workers Comp at the state-required limit with $500K Employer's Liability; Umbrella $1M to $5M depending on contract size. Higher-risk work (construction, work at height, hot work) usually requires $2M GL, $5M umbrella, and project-specific endorsements. Always require the vendor's policy to be primary and non-contributory to yours.
What is the ACORD 25 form?
ACORD 25 is the standardized Certificate of Liability Insurance form used across the United States. ACORD (Association for Cooperative Operations Research and Development) maintains the template that insurance carriers and brokers complete to issue certificates. The form has fixed sections for producer, insured, carriers, coverage types and limits, and a description-of-operations box. ACORD 25 is the default form requested when someone says "send me a COI."
How often do COIs need to be updated?
COIs should be re-collected at every policy renewal - typically annually, or whenever the vendor changes carriers. Best practice is to start the renewal request at 60 days before expiration. If a vendor changes carriers mid-policy, request an updated cert immediately. If a vendor cancels coverage (rare but possible), you should be notified - which is why most master agreements require a 30-day cancellation notice provision and why some buyers use platforms like Certificial that integrate with broker management systems for live policy status.
What are CG 20 10 and CG 20 37 endorsements?
These are standard ISO general liability endorsements that add a third party as an additional insured. CG 20 10 covers "ongoing operations" - liability for bodily injury or property damage that occurs during the work. CG 20 37 covers "completed operations" - liability that arises after the work is finished. Both are typically required in master agreements: ongoing for the project itself, completed for the years afterward when latent defects can surface. Always require both forms together if the work has any post-completion exposure.
Can I just check a vendor's COI once at onboarding?
No - and this is the most expensive mistake property managers and GCs make. A COI is a snapshot of one moment in time. Coverage can lapse, carriers can be downgraded, limits can be reduced, and endorsements can be removed. A January-issued cert may not reflect April reality. Active tracking with renewal reminders, mid-policy change detection, and continuous validation is the only way to keep risk transferred where it belongs.
What is "primary and non-contributory" insurance language?
"Primary and non-contributory" is contract language requiring that the vendor's insurance respond first in a covered loss, before any insurance you carry. Without this language, the vendor's policy and yours could share the loss pro-rata, defeating the purpose of risk transfer. The language appears both in the contract itself and as an endorsement on the vendor's policy. Always require both.
How do I detect mid-policy cancellations?
Three layers. First, contractually require 30-day written notice of cancellation in your master agreement and on the cert. Second, verify the vendor's broker contact and document them - the broker (not the vendor) is the source of cancellation notice. Third, for higher-risk vendors, use a platform that integrates with broker management systems (Certificial, MyCOI, ExpiryEdge's broker integrations) to receive real-time policy status updates rather than relying on the vendor or their broker to remember.
How long should I retain COIs after a project ends?
Minimum 5 years from project completion, longer for high-risk work. Latent claims - especially under completed-operations coverage - can land 3-10 years after the project ends. The certificate documents the coverage that was in force during the work, which is what your defense will rely on if a claim surfaces years later. ExpiryEdge retains all certs indefinitely with timestamped audit trails so retention is never the constraint.
Keep reading
More guides to help you pick the right compliance tool.
Sources & further reading
Authoritative references consulted for this article.
- ACORD - Standardized insurance forms - Source for ACORD 25 Certificate of Liability template
- ISO - Commercial General Liability endorsements - Reference library including CG 20 10 and CG 20 37 forms
- Vertikal RMS - COI Complete Guide 2026 - Industry benchmarking on COI tracking practice
- BCS - COI tracking buyer's guide - Buyer-side perspective on COI software requirements
- IRMI - Additional insured explained - Industry reference for endorsement structure
Stop chasing certificates. Start tracking them.
ExpiryEdge gives property managers, GCs, and HOAs a full COI tracking platform on a flat monthly subscription - no per-vendor fees.
Start Your 14-Day Free Trial