COI / Compliance Pack (Payment + Renewal Controls)

Prevent compliance gaps by tying vendor compliance to payment and renewal decisions

Run the OperationCorePlaybook1 hour

What you'll accomplish

  • Create a simple, enforceable vendor compliance system (COI + key requirements)
  • Prevent "we found out too late" compliance failures (expired insurance, missing licenses, safety gaps)
  • Tie compliance to payment controls (AP won't pay if requirements aren't met)
  • Tie compliance to renewal controls (no renewal without compliance current)
  • Reduce risk without turning compliance into a bureaucracy

Who this is for

Procurement & Ops leaders

Responsible for vendors

Finance/AP teams

Who can enforce payment gating

Property/Facilities managers

Who onboard vendors to sites

Anyone

Who has dealt with expired COIs after an incident

When to use this

Use this when:

  • You don't know which vendors have valid COIs
  • Vendors show up on site without required onboarding/compliance
  • Compliance is handled informally via email threads
  • AP pays invoices even when documentation is missing
  • Renewals happen without confirming vendor compliance status

Quick start (60 minutes)

Pilot with your top 10 service vendors:

  • Create the Compliance Requirements Matrix (Template 1)
  • Create the Vendor Compliance Tracker (Template 2)
  • Create a canonical compliance folder location per vendor
  • Request COIs from all 10 vendors (Template 3)
  • Set calendar reminders 60/30/15 days before expiration
  • Enable a simple payment gate: hold payments if COI is expired (Template 5)

The core principle (plain English)

Compliance has to be connected to the two moments vendors care about:

1) Getting paid

2) Getting renewed

If compliance is optional, it will drift.

Beginner rule: No valid COI, no payment (or at minimum, no payment for new work / non-critical services).

What "compliance" includes (minimum viable)

Minimum viable does not mean "everything." It means the few items that matter for risk and governance.

Minimum viable compliance items (start here)

  • COI (Certificate of Insurance) current and correct
  • W-9 / tax form (if required by your AP process)
  • Vendor legal entity name matches contract and invoice
  • Site access onboarding completed (as required)
  • Subcontractor disclosure (if they use subs, you should know)

Common add-ons (by vendor type)

  • Licenses (trade/contractor)
  • Bonding (where required)
  • Background checks (security-sensitive)
  • Safety training / toolbox talks documentation
  • OSHA incident reporting (where applicable)
  • Cyber/security requirements (for software vendors)

Beginner rule: Start with COI + site onboarding + W-9 and expand based on vendor risk.

Step-by-step implementation

1

Create your requirements matrix (by vendor category)

Different vendors have different risk levels. Don't apply a 'one-size-fits-all' list. Start with categories like: HVAC/mechanical, Electrical, Janitorial, Landscaping, Security, Waste, Construction/GC, Professional services, Software (optional).

Done looks like: A one-page matrix that says what each category must provide.

2

Build a compliance tracker (single source of truth)

Track: COI status, expiration dates, evidence links, owner, gating status (payable / hold).

Done looks like: One tracker used by Procurement + AP.

3

Standardize evidence storage

Within your contract repository, add: /Vendors/[Vendor]/01_Executed/Insurance_Compliance/ — Store COIs, endorsements (if needed), licenses, onboarding confirmations.

Done looks like: From the tracker you can click straight to evidence.

4

Define gating rules (simple and enforceable)

Gate A — Payment gate: If COI expired, invoice is held or partially approved. Gate B — Renewal gate: No renewal decision memo can be approved unless compliance is current.

Done looks like: AP and Procurement are aligned.

5

Implement the 'closeout cadence'

Compliance decays unless you run it on cadence. Monthly: review compliance expirations in next 60 days. Weekly (optional): review 'holds' and unblock critical vendors.

Done looks like: Regular review rhythm established.

Templates included

Template 1 — Compliance Requirements Matrix (copy/paste)

| Vendor category | COI required | Min limits (internal policy) | Endorsements needed | License needed | Site onboarding required | Subcontractor disclosure | Notes |
|---|---|---|---|---|---|---|---|
| HVAC | Yes | Yes | If required | Often | Yes | Yes |  |
| Janitorial | Yes | Yes | Sometimes | No | Yes | Sometimes |  |
| Security | Yes | Yes | Often | Sometimes | Yes | Yes |  |
| Waste | Yes | Yes | Sometimes | No | Yes | Sometimes |  |
| Construction/GC | Yes | Yes | Often | Often | Yes | Yes |  |
| Professional services | Yes | Sometimes | Rare | No | No | No |  |
| Software (optional) | Maybe | N/A | N/A | No | No | No | Security requirements separate |

Template 2 — Vendor Compliance Tracker (copy/paste table)

| Vendor | Category | Contract link | Compliance folder link | COI status (Valid/Expiring/Expired/Missing) | COI expiration date | Required endorsements received? | License status | Onboarding status | Payment status (OK/HOLD) | Owner | Next action | Due date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|

Template 3 — COI Request Email (copy/paste)

Subject: Request: current COI + endorsements for [Vendor]

Hi [Name],
To keep our vendor records current, please send your current Certificate of Insurance (COI) and any required endorsements for our file.

Please ensure:
- Legal entity name matches our agreement/invoices
- Coverage dates are current
- Any endorsements required by our agreement are included

PDF is perfect. Thanks,
[Name]

Template 4 — COI Deficiency Notice (copy/paste)

Subject: COI update needed — missing/expired documentation

Hi [Name],
We reviewed your insurance documentation and we are missing:
- [missing item] OR your COI is expired as of [date]

Please send an updated COI/endorsement by [date].  
Until updated documentation is received, invoices may be held or partially approved per our policy.

Thanks,
[Name]

Template 5 — Internal AP Hold Notice (copy/paste)

AP HOLD — Vendor Compliance

Vendor:
Issue: COI expired/missing or required compliance documentation missing
Date identified:
Owner:
Action:
- Hold invoices until updated COI received OR
- Approve undisputed/critical items only (if exception approved)

Evidence link:
Notes:

Template 6 — Vendor Onboarding Compliance Checklist (copy/paste)

Vendor Onboarding Compliance Checklist

- Executed contract stored (MSA/SOW/pricing/amendments)
- COI received and valid
- Required endorsements received (if applicable)
- W-9 received (if applicable)
- License verified (if applicable)
- Site access onboarding completed
- Subcontractors disclosed (if any)
- Billing rules communicated (change order ID requirements, documentation expectations)

Template 7 — Monthly Compliance Closeout Agenda (20 minutes)

Monthly Vendor Compliance Closeout (20 minutes)

1) Expiring in next 60 days (10 min)
- Vendor / expiration / owner / next action

2) Current holds (5 min)
- Which invoices/vendors are blocked?
- Are exceptions needed?

3) Process fixes (5 min)
- Any contract language missing?
- Any vendors that need re-training?

Common pitfalls

  • Compliance lives in inboxes and can't be found quickly
  • "Everyone owns it" → nobody owns it
  • AP pays anyway (gate not enforced)
  • Requirements are too complex (start minimum viable)
  • Expirations aren't tracked (the whole system collapses)

How to prove impact (KPIs)

% of top vendors with current COIs

On file

# of invoices held

Due to compliance gaps (early on may increase, then drop)

Reduction in "expired COI discovered after incident"

Events

% renewals blocked until compliance updated

Should drop over time

Evidence and Confidence

Confidence:High(control-plane pattern is stable)

Assumptions: AP supports gating and procurement can request documentation.

Where this can fail: If enforcement is inconsistent or ownership is unclear.

Change log

v1.0 (2026-01): Latest release