Skip to content
Keelstar

Guide

How to Audit Vendor Insurance Compliance

By Keelstar Team · Updated July 11, 2026

The short answer

Audit vendor insurance compliance by pulling a complete vendor population report, verifying each active vendor has a current ACORD 25 on file with documented review dates, and sampling certificates against contract requirements for limits, additional insured, waiver of subrogation, and expiration tracking. Compare your requirements matrix to actual certificates — not just presence of a PDF. Construction owners responding to lender and surety reviews, healthcare systems preparing for payer accreditation, and property managers facing tenant audits need evidence of systematic review, not ad-hoc folders. Document reviewer identity, pass/fail criteria, deficiency correspondence with brokers, and remediation dates. Run audits quarterly for high-risk tiers and annually for the full vendor base; escalate repeat offenders and systemic broker failures to procurement leadership.

Scope the audit population

Start with all vendors marked active who had site access, invoices, or contract value in the audit period. Exclude terminated vendors unless their work continued into the period. Segment by risk tier so high-exposure relationships receive full file review.

Audit checklist per vendor

For each sampled vendor, confirm: current ACORD 25 on file, review date within policy period, named insured match, each required line present and not expired, limits meet contract, additional insured and waiver requirements documented, certificate holder correct.

  • Certificate on file and dated within active policy
  • Review log with reviewer and outcome
  • Limits pass by line vs contract exhibit
  • Endorsements attached when contract requires
  • Expiration tracking with reminder evidence

Prepare for owner and payer audits

Construction owners face OCIP/CCIP and lender insurance audits. Healthcare operators face accreditation and business associate scrutiny. Export a compliance summary: active vendors, percent compliant, open deficiencies, cure timeline. Ad-hoc spreadsheet hunts fail external audit requests.

Remediation and enforcement

Assign deficiency cure deadlines — typically 10 business days for non-critical, immediate for lapsed coverage. Document broker correspondence. Vendors who cannot cure lose approved status. Repeat failures trigger contract review or termination.

Report results to leadership

Present audit findings to risk, procurement, and operations leadership with trend comparison to prior quarters. Insurance compliance is a leading indicator — expired COIs predict where stop-work and claim disputes will occur next.

Frequently asked questions

How many vendor COIs should we sample in an audit?
Audit 100% of active high-risk vendors — construction subs, life-safety contractors, healthcare clinical vendors. Sample 10–20% of low-risk active vendors. Increase sample size when prior audits found high deficiency rates.
What documentation do external auditors want?
Insurance requirements policy, review checklists, certificate files with review timestamps, deficiency letters, renewal tracking reports, and evidence of access blocks when coverage lapsed.
How do we score compliance?
Common metrics: percentage current on all required lines, percentage meeting limit requirements, percentage with required endorsements on file, average days deficient before cure.
Should we audit brokers or vendors?
Hold vendors contractually responsible; work with brokers operationally since they issue certificates. Track which brokers produce repeat deficiencies and adjust onboarding instructions.

Related guides

Put this into a monitored workflow

COI Tracker handles this continuously — with reminders and an audit trail.