Guide
How to Audit Vendor Insurance Compliance
By Keelstar Team · Updated July 11, 2026
The short answer
Audit vendor insurance compliance by pulling a complete vendor population report, verifying each active vendor has a current ACORD 25 on file with documented review dates, and sampling certificates against contract requirements for limits, additional insured, waiver of subrogation, and expiration tracking. Compare your requirements matrix to actual certificates — not just presence of a PDF. Construction owners responding to lender and surety reviews, healthcare systems preparing for payer accreditation, and property managers facing tenant audits need evidence of systematic review, not ad-hoc folders. Document reviewer identity, pass/fail criteria, deficiency correspondence with brokers, and remediation dates. Run audits quarterly for high-risk tiers and annually for the full vendor base; escalate repeat offenders and systemic broker failures to procurement leadership.
Scope the audit population
Start with all vendors marked active who had site access, invoices, or contract value in the audit period. Exclude terminated vendors unless their work continued into the period. Segment by risk tier so high-exposure relationships receive full file review.
Audit checklist per vendor
For each sampled vendor, confirm: current ACORD 25 on file, review date within policy period, named insured match, each required line present and not expired, limits meet contract, additional insured and waiver requirements documented, certificate holder correct.
- Certificate on file and dated within active policy
- Review log with reviewer and outcome
- Limits pass by line vs contract exhibit
- Endorsements attached when contract requires
- Expiration tracking with reminder evidence
Identify systemic trends
Single-vendor deficiencies are operational; patterns are strategic. If 30% of certificates lack required umbrella limits, your requirements communication failed. If one broker repeatedly misnames certificate holders, escalate to vendor management.
Prepare for owner and payer audits
Construction owners face OCIP/CCIP and lender insurance audits. Healthcare operators face accreditation and business associate scrutiny. Export a compliance summary: active vendors, percent compliant, open deficiencies, cure timeline. Ad-hoc spreadsheet hunts fail external audit requests.
Remediation and enforcement
Assign deficiency cure deadlines — typically 10 business days for non-critical, immediate for lapsed coverage. Document broker correspondence. Vendors who cannot cure lose approved status. Repeat failures trigger contract review or termination.
Report results to leadership
Present audit findings to risk, procurement, and operations leadership with trend comparison to prior quarters. Insurance compliance is a leading indicator — expired COIs predict where stop-work and claim disputes will occur next.
Frequently asked questions
- How many vendor COIs should we sample in an audit?
- Audit 100% of active high-risk vendors — construction subs, life-safety contractors, healthcare clinical vendors. Sample 10–20% of low-risk active vendors. Increase sample size when prior audits found high deficiency rates.
- What documentation do external auditors want?
- Insurance requirements policy, review checklists, certificate files with review timestamps, deficiency letters, renewal tracking reports, and evidence of access blocks when coverage lapsed.
- How do we score compliance?
- Common metrics: percentage current on all required lines, percentage meeting limit requirements, percentage with required endorsements on file, average days deficient before cure.
- Should we audit brokers or vendors?
- Hold vendors contractually responsible; work with brokers operationally since they issue certificates. Track which brokers produce repeat deficiencies and adjust onboarding instructions.
Related guides
Put this into a monitored workflow
COI Tracker handles this continuously — with reminders and an audit trail.