Most compliance teams have a process for collecting certificates of insurance. Fewer have a rigorous process for reviewing them. The difference matters more than people expect.
A COI can look perfectly complete and still leave your organization exposed. Mismatched names, checked boxes without supporting endorsements, limits that meet the letter of your contract but not the spirit of your risk tolerance — these are the problems that surface at the worst possible moment: when a claim is filed.
This checklist walks through each section of the ACORD 25, the standard form for liability insurance, and covers what to verify, what to watch for, and where compliance teams most commonly get tripped up.
Before You Start: Know What You’re Comparing Against
Reviewing a COI in isolation is not a review. It is a reading. A real review requires knowing what your contract actually requires.
Before opening the certificate, confirm the following from your vendor contract or insurance requirements schedule:
- Required coverage types (general liability, auto, workers’ compensation, umbrella, professional liability, etc.)
- Minimum limits for each coverage type
- Whether additional insured status is required
- Whether primary and noncontributory language is required
- Whether a waiver of subrogation is required
- Whether cancellation notice provisions are specified
- The exact legal name of your organization as it should appear as certificate holder
Without this reference point, you are reviewing a document without knowing what it is supposed to say.
1. Producer Information
The producer is the insurance broker or agency that issued the certificate. This section should include the agency name, address, and contact information.
What to verify: The producer is a licensed, identifiable insurance agency. If you cannot find the agency with a basic search or the contact information looks fabricated, treat it as a red flag. COI fraud is uncommon but real, and the producer field is often where fraudulent certificates fall apart.
2. Insured Name and Address
The insured is the vendor or contractor carrying the insurance. The name on the certificate must match the legal name of the contracting entity exactly.
This is one of the most common and consequential errors on a COI. Common problems include:
- A trade name or DBA listed instead of the legal entity name
- A parent company listed when the contracting entity is a subsidiary
- A slightly different spelling or abbreviation that may not hold up in a dispute
If the name on the COI is “Precision Construction Group” and your contract is with “Precision Electrical, LLC,” you have a mismatch. Ask for a corrected certificate before accepting it.
3. Coverage Types
The coverage section of the ACORD 25 lists the types of insurance in place and their policy numbers. The most common coverage types you will encounter are:
Commercial General Liability (CGL): Covers bodily injury and property damage arising from the vendor’s operations. This is the baseline requirement for virtually every vendor relationship. Confirm whether occurrence-based or claims-made coverage is in place — occurrence-based is generally preferable because it covers incidents that occurred during the policy period regardless of when the claim is filed.
Automobile Liability: Required if the vendor uses vehicles in the course of work for your organization. Confirm whether the policy covers owned, hired, and non-owned autos, or whether it is limited to owned vehicles only.
Workers’ Compensation: Covers the vendor’s employees for on-the-job injuries. Without this, a vendor’s injured employee may have a path to a claim against your organization. Confirm the policy meets the statutory limits for the relevant state.
Employers’ Liability: Often runs alongside workers’ compensation. Covers claims from employees not covered by workers’ comp statutes.
Umbrella or Excess Liability: Provides coverage above the primary policy limits. Confirm that the umbrella policy follows form over the underlying coverages and does not exclude coverage types you are relying on.
Professional Liability / Errors and Omissions: Required for vendors providing professional services, advice, technology, or design. General liability does not cover professional errors, so if the nature of the vendor relationship involves judgment or professional output, this coverage should be required separately.
What to verify: Every coverage type your contract requires is present with a policy number listed. A coverage type with no policy number may indicate the box was checked in error.
4. Coverage Limits
Each coverage type will show limits. Common limit structures for general liability are shown as per-occurrence and aggregate figures. The per-occurrence limit is the maximum paid for a single incident. The aggregate is the maximum paid across all claims during the policy period.
What to verify: Limits meet or exceed your contract requirements. Be aware that aggregate limits can erode over the course of a policy year as claims are paid. If a vendor has had significant claims activity, their remaining aggregate coverage may be less than the face amount suggests. For high-risk or high-value vendor relationships, it is reasonable to request confirmation that aggregate limits have not been substantially eroded.
5. Policy Dates
Each policy listed on the COI will show an effective date and an expiration date. Both matter.
What to verify: The policy effective date predates or aligns with the start of the vendor’s engagement with your organization. The expiration date extends through the full duration of the engagement, or a renewal certificate has been obtained.
A certificate issued today for a policy expiring next month is not a problem in isolation, but it is a trigger to set a renewal reminder. The single most common compliance failure in vendor management is a policy that expires during an active engagement without anyone noticing until something goes wrong.
Best practice is to initiate renewal requests 60 to 90 days before expiration.
6. Certificate Holder
The certificate holder section lists your organization as the party receiving the certificate as evidence of coverage. This section should contain your organization’s exact legal name and address.
What to verify: Your organization’s name is spelled correctly and matches the legal name used in the underlying contract. An incorrect or abbreviated name here can complicate your position in a dispute.
Being listed as certificate holder does not make you an insured under the vendor’s policy. It means you are entitled to receive the certificate as evidence that the policy exists. If your contract requires additional insured status, that protection comes from an endorsement, not from this field.
7. Endorsements: Where Most Reviews Fall Short
This is where COI review most commonly breaks down. The ACORD 25 form includes checkboxes and text fields that appear to indicate additional insured status, primary and noncontributory language, and waiver of subrogation. Checking a box or typing language into the description field does not make it so.
Each of these protections must be backed by an actual endorsement on the underlying policy. The only way to confirm they exist is to request and review the endorsement documents.
Additional Insured: The “additional insured” box may be checked on the COI, but coverage only attaches if the named endorsement is in place. For general liability, the standard ISO endorsements are CG 20 10 (ongoing operations) and CG 20 37 (completed operations). If your contract requires coverage for completed operations — meaning incidents that occur after the vendor’s work is done — both endorsements are typically needed.
Primary and Noncontributory: This language means the vendor’s policy responds first before any coverage your organization carries. It must be confirmed by endorsement, not by a note in the description of operations.
Waiver of Subrogation: This prevents the vendor’s insurer from pursuing a recovery claim against your organization after paying out a loss. It must be endorsed onto the policy. The description of operations section of the COI may reference it, but a reference is not an endorsement.
What to verify: For each endorsement your contract requires, request and review the actual endorsement document. A COI that references endorsements without providing them is incomplete.
8. Description of Operations
The description of operations field is a free-text area where the issuing broker can add specific language, endorsement references, or project details. This section frequently contains important information that does not fit elsewhere on the form.
What to verify: Any contractual requirements for specific language in this field are met. Some contracts specify exact wording that must appear here, particularly for additional insured designations or project-specific coverage. Review this field carefully rather than treating it as boilerplate.
9. Cancellation Notice
This section indicates whether your organization will receive notice if the vendor’s policy is cancelled or materially changed. A standard provision is 30 days’ notice, though the ACORD form has evolved over the years and the language here is often misunderstood.
What to verify: If your contract specifies a required notice period, the certificate reflects it. Be aware that cancellation notice provisions are often honored in practice but are not always legally enforceable depending on state law and the specific policy terms.
10. Signature
An unsigned COI is an incomplete COI. The authorized representative of the issuing agency must sign the form.
What to verify: The certificate is signed. If you receive an unsigned certificate, return it for signature before accepting it.
A Note on What a COI Review Cannot Tell You
Even a thorough review of the ACORD form has limits. The certificate is a summary document, not the policy itself. It does not reveal exclusions, deductibles, self-insured retentions, or policy conditions that could affect whether a claim is paid.
For high-risk vendor relationships or large contracts, asking for policy declarations pages or specific endorsement documents alongside the COI is reasonable and increasingly common practice. The certificate tells you coverage exists. The underlying documents tell you what that coverage actually does.
Using This Checklist
The value of a checklist is in its consistent application. A review process that runs differently depending on who is doing the reviewing, or how busy the team is that week, creates the same kind of gaps that manual spreadsheet tracking does.
A consistent review process means every vendor relationship is evaluated against the same criteria, deficiencies are identified before they become liability events, and your documentation is defensible if something does go wrong.
Clarita automates the extraction and verification of COI data against your coverage requirements, flagging gaps and deficiencies for your review rather than letting them accumulate in a file somewhere. If your team is managing vendor compliance at scale, join the waitlist to see how we can help.