A COI compliance audit evaluates whether your organization has a functioning program for verifying that vendors meet their contractual insurance requirements - and whether you have documentation to prove it. Auditors can include your own internal audit team, external risk consultants, insurance carriers at renewal, or litigation opponents who want to demonstrate your negligence.
Here's what they look for and how to prepare.
What Auditors Evaluate
Five Areas Auditors Evaluate
A COI compliance audit typically covers five areas:
1. Program Design: Do you have documented standards for what insurance vendors must carry? Are requirements specific to vendor type and risk level, or one-size-fits-all? Is there a clear policy that work cannot begin until COI compliance is confirmed?
2. Collection Documentation: Can you show that you requested COIs from all vendors with insurance requirements? Can you show when requests were sent and when COIs were received?
3. Verification Records: Can you demonstrate that each COI was reviewed against specific requirements - not just received? Is there a record of who reviewed it, when, and what they verified?
4. Non-Compliance Management: When a vendor submitted a non-compliant COI, what happened? Is there a documented deficiency, a cure request, and either a resolution or a documented exception decision?
5. Ongoing Monitoring: How do you know when vendor coverage expires or lapses mid-term? Can you show active tracking of expiration dates and renewal requests?
Program Design Checklist
- Written policy defining insurance requirements for each vendor category
- Requirements tied to contract type and risk level (not a single standard for all vendors)
- Documented workflow: who is responsible for requesting, reviewing, and approving COIs
- Clear rule that work cannot begin until COI compliance is confirmed
- Process for exception decisions: who approves, how it's documented
Common gap: Requirements exist in contracts but aren't compiled anywhere. Auditors want to see that you know what your requirements are, not just that they're somewhere in a contract file.
Collection Documentation Checklist
- Log of all vendors with active insurance requirements
- Record of COI request date for each vendor
- Record of COI receipt date for each vendor
- Follow-up records for vendors who didn't respond promptly
- Record of which vendors are pending vs. compliant vs. non-compliant
Common gap: COIs arrive and get filed, but there's no record showing the request was made proactively, before work started. If a COI is in your files but you can't show when it was requested, you can't demonstrate due diligence.
Verification Records Checklist
- Documentation of what was verified on each COI (coverage types, limits, endorsements, dates)
- Comparison against specific contract requirements (not just "reviewed")
- Identity of who performed the verification and when
- Method of verification (manual review, automated system output)
Common gap: Files contain COIs but no verification records. A stack of COIs in a drawer doesn't demonstrate compliance - it demonstrates collection. Auditors want to see the review step.
Non-Compliance Management Checklist
- Written deficiency notice to vendor specifying the gap
- Timeline for cure (5-10 business days is standard)
- Documentation of the vendor's response
- Record of the corrected COI or the formal exception decision
- Work-hold decisions documented for vendors who haven't cured
Common gap: Non-compliant COIs get noted informally ("I'll follow up with them") without formal documentation. If a vendor's worker is injured while their COI was non-compliant and you have no record of the deficiency or follow-up, your negligence exposure increases significantly.
Audit Trail Checklist
- Timestamped records of all COI-related activities (requests, receipts, reviews, deficiencies, cures)
- User-level records: who did what and when
- Immutable records: ideally stored in a system where records can't be deleted or backdated
- Accessible for retrieval by policy year or vendor for at least 7 years
Common gap: Spreadsheet-based tracking doesn't create a proper audit trail. Spreadsheets can be edited, don't timestamp changes, and don't track who made modifications. This is one of the strongest cases for purpose-built software.
Ongoing Monitoring Checklist
- Active tracking of all policy expiration dates
- Automated or calendar-based reminders at 60 and 30 days before expiration
- Process for handling mid-term lapses (not just expiration monitoring)
- Record of renewal requests and responses
Common gap: Initial compliance is verified, but renewals aren't tracked. A vendor who was compliant in January may have let their policy lapse in October. Without ongoing monitoring, you won't know until after an incident.
How Technology Closes Audit Gaps
Purpose-built COI compliance software creates the documentation that audits require:
- Timestamped request and receipt logs
- Automated comparison records showing what was checked against which requirements
- Deficiency logs with communication records
- Expiration tracking with renewal request documentation
Spreadsheets and email inboxes can hold COIs. They can't generate an audit-ready compliance report in 10 minutes.
If your current program would struggle to answer "show me every COI that was non-compliant in the last 12 months and what you did about it" - that's the gap to close before an audit finds it.
Bramble creates a complete, searchable audit trail for every COI event in your program. See how it works.