How to Audit a Certificate of Insurance: The 5-Step Process

Auditing a Certificate of Insurance is not reading a document. It is running a verification process against a defined set of requirements. The distinction matters because reading is passive and subjective — two reviewers may "read" the same certificate and reach different conclusions. Auditing is systematic and repeatable. The same certificate, audited against the same requirements, should produce the same result every time.

This guide presents a 5-step audit methodology that works whether you are reviewing one certificate or one thousand. Each step has a defined purpose, specific checks, and clear pass/fail criteria. Follow this process for every certificate that crosses your desk, and you will catch the gaps that less disciplined approaches miss.

Before You Start: Know Your Requirements

You cannot audit a certificate without requirements to audit against. Before evaluating a single field, you need:

• Coverage types required: Which lines of insurance must the vendor carry? (GL, WC, Auto, Umbrella, Professional Liability, etc.)
• Minimum limits: What are the minimum acceptable limits for each coverage type?
• Required provisions: Which endorsements and provisions are required? (Additional Insured, Waiver of Subrogation, Primary and Noncontributory, Notice of Cancellation)
• Acceptable carriers: Are there minimum AM Best ratings or carrier restrictions?
• Certificate holder information: What is the exact legal entity name and address that should appear?

These requirements should be documented in your compliance program and, ideally, in the underlying contract with the vendor. Without defined requirements, auditing becomes guesswork.

Step 1: Identity Verification

The first step is confirming that the certificate represents the correct parties. This sounds simple but catches a surprising number of issues.

Verify the Insured Name

The "Insured" field on the ACORD 25 should match the legal entity name in your contract with the vendor. Check for:

• Exact name match: "ABC Construction LLC" is not the same as "ABC Construction Inc." or "ABC Builders LLC." Legal entity names must match the contract.
• DBA names: If the vendor operates under a DBA (doing business as), the legal entity name should still appear as the named insured, with the DBA potentially listed as well.
• Parent vs. subsidiary: A certificate for "ABC Holdings Inc." may not cover "ABC Construction LLC" even if the latter is a subsidiary. Each legal entity typically needs its own coverage or must be specifically listed on the policy.

Verify the Producer

The producer (insurance agent or broker) is identified in the upper-left section of the ACORD 25. While you do not typically need to verify the producer's credentials, note the producer information for follow-up communication. If you need to request corrections, additional documentation, or clarification, the producer is your contact point.

Verify Carrier Names and NAIC Numbers

The "Insurers Affording Coverage" section lists each insurance company and its NAIC (National Association of Insurance Commissioners) number. Verify:

• Carrier names are recognizable: Be cautious of unfamiliar carrier names. While legitimate niche carriers exist, unfamiliar names warrant verification.
• NAIC numbers are present: Every admitted carrier has an NAIC number. You can verify these at the NAIC's online database (https://naic.org). Missing NAIC numbers may indicate surplus lines or non-admitted carriers, which may or may not be acceptable depending on your requirements.
• AM Best ratings: If your program requires minimum financial strength ratings, verify the carrier's AM Best rating. An A- (Excellent) VII or better is a common requirement for commercial insurance programs.

Step 1 Pass/Fail Criteria

• Insured name matches contract exactly: Required
• Producer information is present: Required
• All carriers have NAIC numbers: Required
• Carrier ratings meet minimums: Required if specified in your program

If the insured name does not match the contract, stop the audit. The certificate may be for the wrong entity entirely. Request a corrected certificate before proceeding.

Step 2: Coverage Verification

This step verifies that the vendor carries all required coverage types with adequate limits and valid dates.

Check Required Coverage Types

Compare the coverage types on the certificate against your requirements. For each required coverage type, verify it is present:

• Commercial General Liability (CGL): Look for the General Liability section. Verify it is "Commercial General Liability" (not "General Liability" alone, which could indicate a non-standard form).
• Workers' Compensation: Should show statutory limits for the state(s) where work is performed. Verify the "Per Statute" box is checked.
• Commercial Automobile Liability: Verify the applicable coverage (Any Auto, All Owned Autos, Hired Autos, Non-Owned Autos). "Any Auto" provides the broadest coverage.
• Umbrella/Excess Liability: Verify whether the umbrella is on an occurrence or claims-made basis, and whether it applies over all underlying coverages.
• Professional Liability: If required, verify coverage is present. Note: Professional Liability often appears on a separate certificate (ACORD 25 or supplemental form) because it is typically claims-made coverage with different terms.

Verify Limits Meet Minimums

For each coverage type, compare the stated limits against your minimum requirements:

General Liability common limits:

• Each Occurrence: $1,000,000 minimum is standard
• General Aggregate: $2,000,000 is standard
• Products/Completed Operations Aggregate: $2,000,000 is standard
• Personal & Advertising Injury: $1,000,000 is standard
• Damage to Rented Premises: $100,000 or $300,000 depending on requirements
• Medical Expense: $5,000 is standard

Workers' Compensation:

• Coverage A: Statutory (must be "Per Statute")
• Coverage B — Employers' Liability: $500,000 / $500,000 / $500,000 minimum is common, though $1,000,000 each is increasingly required

Commercial Auto:

• Combined Single Limit: $1,000,000 is standard

Umbrella/Excess:

• Varies by vendor risk tier, commonly $1,000,000 to $5,000,000

Verify Dates

For each coverage type, check:

• Effective date: The policy must be in effect. A certificate with a future effective date is not yet valid.
• Expiration date: The policy must not be expired. This is the single most common compliance failure. If the expiration date has passed, the certificate is worthless.
• Coverage period encompasses your contract period: The policy dates should cover the entire period of the vendor's work. If the policy expires before the contract ends, you need a renewal certificate before the expiration date.

Occurrence vs. Claims-Made

For General Liability, verify the basis of coverage:

• Occurrence basis: Covers claims arising from incidents that occurred during the policy period, regardless of when the claim is filed. This is the standard and preferred basis for CGL.
• Claims-made basis: Covers claims that are first made during the policy period. This is less common for GL and introduces retroactive date considerations. If claims-made, verify the retroactive date precedes the vendor's first day of work.

Step 2 Pass/Fail Criteria

• All required coverage types present: Required
• All limits meet or exceed minimums: Required
• All policies currently in effect (not expired): Required
• GL is on occurrence basis (or claims-made with acceptable retroactive date): Required

Step 3: Provision Verification

This is where most audits succeed or fail. Coverage can be perfect — all types present, limits adequate, dates current — and the certificate still fails because the required provisions are missing.

Read the Description of Operations

The Description of Operations / Locations / Vehicles box is the primary location for provision language. Read this section carefully and completely. Look for:

Additional Insured language:

• Your organization name should appear
• "Additional Insured" should be explicitly stated
• Endorsement form numbers should be referenced (CG 20 10, CG 20 37, or blanket forms like CG 20 33)
• "As required by written contract" indicates blanket coverage

Waiver of Subrogation language:

• "Waiver of Subrogation" should be explicitly stated
• Should specify which coverage types (GL, WC, Auto)
• Endorsement form numbers should be referenced (CG 24 04, WC 00 03 13, CA 04 44)

Primary and Noncontributory language:

• "Primary and Noncontributory" should be explicitly stated
• Check for contradictory language ("contributory," "excess," or "pro-rata" terms that negate the provision)
• CG 20 01 or equivalent should be referenced

Notice of Cancellation:

• Look for endorsed notice language beyond the standard ACORD boilerplate
• Number of days' notice should be specified (30 days standard, 10 days for non-payment)
• CG 02 24 or equivalent should be referenced

Verify Coverage Line Checkboxes

In addition to the Description of Operations:

• Check the "Addl Insd" checkbox in the GL section
• Check the "Subr WVD" checkbox for each applicable coverage type
• These checkboxes alone are not sufficient verification, but their absence when provisions are claimed in the Description is a red flag

Check Blanket vs. Scheduled

If the provisions reference blanket coverage ("as required by written contract"), verify that your contract with the vendor includes the corresponding insurance requirements. Blanket endorsements only activate when triggered by a written contract.

If the provisions are scheduled (your organization is specifically named), verify the name matches your exact legal entity.

Step 3 Pass/Fail Criteria

• All required provisions present in Description of Operations: Required
• Endorsement form numbers referenced: Strongly recommended
• No contradictory language: Required
• Coverage line checkboxes consistent with Description: Required

Step 4: Certificate Holder Verification

The Certificate Holder section appears in the bottom-right of the ACORD 25. This section must correctly identify your organization.

Correct Legal Entity Name

The certificate holder name must match your exact legal entity name. "ABC Property Management" is not the same as "ABC Property Management, LLC" or "ABC Properties Inc." The legal name determines which entity receives notice, which entity is recognized as having rights under the certificate, and which entity can enforce contractual insurance requirements.

Correct Address

Address accuracy matters primarily for notice of cancellation purposes. If the certificate includes endorsed notice of cancellation (CG 02 24), the address on the certificate holder section is where the cancellation notice will be sent. An incorrect address means you may never receive the notice.

For certificates without endorsed cancellation notice, the address is less critical but should still be correct for record-keeping purposes.

Additional Insured Status Confirmed

The certificate holder section may include notations that the certificate holder is an Additional Insured. While the Description of Operations is the primary location for this information, confirmation in the certificate holder section provides additional verification.

Step 4 Pass/Fail Criteria

• Legal entity name exactly matches your records: Required
• Address is correct (especially with endorsed cancellation notice): Required
• Certificate holder is not confused with Additional Insured status: Verified

Step 5: Final Determination

After completing Steps 1-4, you have all the information needed to make a compliance determination.

Score the Audit

Classify each finding by severity:

Critical findings (result in non-compliant status):

• Missing required coverage type
• Coverage limits below minimums
• Expired policy
• Missing Additional Insured endorsement
• Insured name does not match contract

Warning findings (result in conditional/needs review status):

• Missing Waiver of Subrogation
• Missing Primary and Noncontributory
• Missing endorsed Notice of Cancellation
• Endorsement form numbers not referenced (provisions claimed but not documented)
• Policy expiring within 30 days

Informational findings (noted but do not affect status):

• No signature on certificate
• Minor address discrepancy
• Non-standard carrier (but acceptable rating)
• Description of Operations truncated but key provisions present

Determine Compliance Status

Based on your findings, assign one of these statuses:

• Compliant: All required coverage types, limits, provisions, and documentation are present and verified. No critical or warning findings.
• Non-Compliant: One or more critical findings. The vendor cannot work until a compliant certificate is provided.
• Needs Review: No critical findings, but one or more warning findings require resolution. The vendor may work under conditional approval while issues are addressed, depending on your program's rules.

Document and Communicate

Record your findings and communicate the result:

• If compliant: File the certificate, set expiration tracking, and notify the vendor/project manager that compliance is verified.
• If non-compliant: Document specific deficiencies, notify the vendor and their producer of what needs to be corrected, and set a deadline for resolution.
• If needs review: Document the warning items, communicate what is needed, and set a follow-up date.

Common Audit Mistakes: Top 10

Even experienced reviewers make these mistakes. Audit your own process against this list.

1. Checking only limits, not provisions. Limits tell you how much the policy can pay. Provisions determine whether it will pay you at all.

2. Accepting the Addl Insd checkbox without reading the Description. The checkbox says "yes, we think there's an endorsement." The Description tells you what endorsement, for whom, and under what conditions.

3. Not verifying the insured name against the contract. A certificate for the parent company does not cover the subsidiary you contracted with.

4. Ignoring the occurrence vs. claims-made distinction. Claims-made coverage has a retroactive date that can exclude prior work. Missing this changes the entire coverage analysis.

5. Assuming the certificate creates coverage. The ACORD 25 states, in its own text, that it is issued as a matter of information only. It confers no rights upon the certificate holder and does not amend, extend, or alter the coverage afforded by the policies.

6. Not checking for policy gaps. If the vendor's GL expired on January 1 and the new policy is effective January 15, there is a 14-day gap. Any incident during those 14 days is uninsured.

7. Accepting "endeavor to" cancellation language as binding. Standard ACORD cancellation language provides no guaranteed notice. Only an endorsed notice provision (CG 02 24) creates a binding obligation.

8. Not verifying all coverage types. Reviewers sometimes check GL and skip WC verification because "the vendor doesn't have employees on site." If your contract requires WC, it must be verified regardless of the reviewer's assumption about the vendor's operations.

9. Not flagging approaching expirations. A certificate that passes audit today but expires in 15 days is a compliance gap waiting to happen. The audit should flag approaching expirations and trigger renewal tracking.

10. Single-reviewer dependency. If only one person in your organization can audit certificates, you have a single point of failure. Cross-train reviewers or implement technology that standardizes the process.

Manual vs. AI Audit Comparison

The 5-step process above works whether performed by a human or by technology. The difference is scale, speed, and consistency.

Manual auditing works for organizations managing fewer than 50 vendors. Beyond that threshold, the combination of volume, expiration tracking, and consistency requirements makes technology essential — not optional.

Building Your Audit Checklist

Use the 5-step process to build a customized audit checklist for your organization. Start with the standard checks described above, then add:

• Industry-specific requirements: Construction may require Builders Risk. Healthcare may require Professional Liability. Real estate may require Pollution Liability.
• Tiered requirements: Not all vendors need the same coverage. A painting subcontractor and a general contractor have different risk profiles and should have different requirements.
• Jurisdiction-specific rules: Workers' Compensation requirements vary by state. Some states have monopolistic state funds. Some states exempt certain employers.
• Contract-specific provisions: Individual contracts may require provisions beyond your standard program.

The checklist should be a living document, updated as your requirements evolve and as you encounter new compliance scenarios. Every gap you discover in the field should feed back into your checklist to prevent the same gap from appearing again.

Consistency is the goal. Every certificate, every time, every reviewer, same process, same standard. That is what separates compliance programs that work from compliance programs that exist on paper.