The worst morning of my property management career started with an email from our largest client's risk manager. Subject line: "Annual Vendor Compliance Audit - Documentation Due in 14 Days."
Fourteen days to produce certificates of insurance, compliance status, and verification records for 87 vendors. Our "system" at the time was a folder of PDFs on a shared drive and a spreadsheet that hadnt been updated in 3 months.
I spent the next 12 days in pure panic mode. Calling vendors at 7am begging for updated certificates. Manually checking every PDF against our requirements. Building a report format from scratch because we'd never actually produced one before. I barely slept.
We passed. Barely. But I swore I would never go through that again.
Why audits are getting more common
If you havent been through a COI compliance audit yet, give it time. They're becoming standard.
Property owners, especially institutional ones (REITs, pension funds, family offices), are increasingly requiring their property management firms to demonstrate vendor insurance compliance. Not just "yes we track it" but "show us the data."
The drivers are straightforward:
- Insurance carriers are asking tougher questions about vendor oversight at renewal
- Litigation trends are putting more emphasis on negligent contractor selection
- OSHA has increased enforcement actions related to contractor safety compliance
- Management agreements increasingly include explicit compliance audit provisions
A property management attorney I talked to said she's seen vendor compliance audit clauses in about 60% of new management agreements in the past 2 years, up from maybe 20% five years ago. Its becoming table stakes.
What auditors actually look for
Having been through several audits now (and having talked to risk managers about what they're checking), here's what a typical COI compliance audit examines:
1. Certificate currency. Is every active vendor's certificate current and unexpired? This is the most basic check and the one where most firms fail first.
2. Coverage adequacy. Do coverage limits meet minimums in your management agreement? Auditors check GL, workers comp, auto liability, and umbrella against your stated requirements.
3. Additional insured verification. Are the right parties listed as additional insureds? Auditors want to see the property owner AND management company listed correctly.
4. Documentation completeness. Do you have certificates for ALL active vendors? Not just the big ones. The one you overlook is always the unlicensed handyman doing odd jobs with no insurance.
5. Process documentation. Sophisticated auditors want to see your process. How do you verify new vendors? What happens when someone is non-compliant? Is there a written policy?
6. Historical records. Some audits look back 12-24 months. Can you prove vendors were compliant when they were performing work? This is where "I just updated everything last week" falls apart.
Where most firms fail
Based on conversations with risk managers and my own painful experience, here are the most common audit failure points:
Missing certificates. Almost every firm has vendors with no certificate on file. Usually the smaller ones you onboarded informally. In one audit I saw, 22 out of 93 vendors had nothing on file.
Expired certificates treated as current. The certificate looks official but its been expired for 4 months. Nobody caught it because nobody was checking.
No minimum requirements documented. You cant prove compliance if you havent documented what compliance means. No written minimums by trade category? Auditors flag it immediately.
No follow-up on non-compliance. Having a vendor flagged as non-compliant is one thing. Having no record you did anything about it is worse. Auditors want to see action, not just a red cell in a spreadsheet.
I know a firm that lost their biggest client (a 400-unit portfolio worth $180K in annual management fees) because they couldn't produce compliant COI documentation for 40% of their vendors during an audit. Forty percent. The property owner gave them 60 days to fix it, they couldn't get it done in time, and the management agreement was terminated.
$180K in recurring revenue, gone. Because of certificates of insurance.
The audit prep checklist
If you've got an audit coming up (or if you want to be ready when one inevitably does), here's the prep process I've developed:
30 days before (or just do this now):
- [ ] Pull a complete list of active vendors from your accounting system or vendor database
- [ ] Cross-reference against your COI files. Flag any vendor with no certificate on file
- [ ] Check every certificate for expiration date. Flag anything expired
- [ ] Document your minimum coverage requirements by trade category (if you haven't already)
- [ ] Identify your non-compliant vendors and prioritize by risk level
14 days before:
- [ ] Contact all vendors with expired or missing certificates. Be specific about what you need
- [ ] Follow up on any vendors who havent responded to your first request
- [ ] Review additional insured endorsements on your highest-risk vendor certificates
- [ ] Prepare your compliance summary report showing overall compliance rate and breakdown by category
7 days before:
- [ ] Final follow-up on outstanding certificates
- [ ] Make a decision on non-responsive vendors (suspend, escalate, or document with a remediation plan)
- [ ] Compile all certificates into an organized, accessible format
- [ ] Have a second person spot-check 10-15 vendor files for accuracy
Day of audit:
- [ ] Have all documentation accessible (not buried in email threads)
- [ ] Be ready to explain your process, not just show your files
- [ ] Know your compliance rate and be ready to discuss it honestly
One-click export changes the game
The thing that nearly killed me in my first audit was report generation. Even after updating all certificates, I still had to build the audit report from scratch. Which vendors are compliant, coverage amounts, expiration dates, actions taken. Building that from a spreadsheet took me almost 3 full days.
This is one of the reasons I built audit export into COIPulse. One click generates the full compliance report, formatted and ready to hand to an auditor. I never want to spend 3 days building an audit report again.
The mindset shift
Heres what I wish someone had told me before my first audit: the audit isnt the problem. The audit just reveals the problem.
If your compliance is solid day-to-day, audits are easy. Export your data and hand it over. The only reason audits are terrifying is because most firms know their tracking has gaps.
According to the Risk and Insurance Management Society (RIMS), organizations with documented compliance programs pass third-party audits at roughly twice the rate of those relying on manual processes. Not because technology is magic. Because it forces consistency.
Whether you use software or a disciplined manual process, the key is the same: care about compliance every day and the audit becomes a non-event.
Thats the goal. Make the audit boring. Boring is good. Boring means you're ready.
Nobody wants another 12-day panic sprint. Least of all me.
Top comments (0)