Vendor contracts typically require the vendor to maintain certain certifications, insurance coverage, or compliance attestations through the term of the relationship. General liability insurance, workers compensation, professional liability, cybersecurity certifications, SOC 2 attestations, and various industry specific compliance evidence.
These requirements exist because the buyer needs assurance that the vendor maintains appropriate capabilities and protections. A vendor providing services in the buyer's facilities needs liability insurance to cover incidents. A vendor handling sensitive data needs security certifications to demonstrate protection. A vendor in a regulated industry needs compliance evidence to allow the buyer to rely on the vendor's work.
The requirement gets negotiated and the initial certificate gets provided at contract signing. After that, the tracking discipline often falls apart. Certificates expire and replacements do not arrive. The buyer continues the relationship without realizing the protection has lapsed. The lapse becomes visible only when an incident occurs and the certificate is needed.
The Common Vendor Certifications Requested
Different contract types require different certifications. Knowing the standard requirements helps build the tracking discipline appropriately.
Insurance certificates
Certificates of Insurance (COIs) confirm that the vendor maintains specified insurance coverage. Common types: general liability (with minimum coverage levels), workers compensation (for vendors with workers on buyer premises), professional liability (for service providers), commercial auto (for vendors with vehicles), and cyber liability (for vendors handling data).
COIs typically include the buyer as a certificate holder or additional insured, which gives the buyer notice if the policy is cancelled and may provide direct coverage in certain circumstances.
Security certifications
SOC 2 reports (Type 1 or Type 2) for service providers handling sensitive data. ISO 27001 certification for vendors with information security programs. PCI DSS for vendors handling payment card data. HIPAA business associate attestations for vendors handling protected health information.
Compliance and regulatory attestations
Industry specific compliance evidence: FDA registration for medical device suppliers, NIST or CMMC for defense related contractors, regulatory certifications for financial services providers, ESG and sustainability certifications where required.
Business credentials
Business licenses, professional licenses, contractor licenses where applicable to the work being performed. These typically have annual or biannual renewal cycles.
Why Certification Tracking Falls Through
Several structural reasons explain why most companies struggle with ongoing certification tracking.
Certifications collected at contract signing only
The initial certificate is collected as part of contract execution. The renewal process is not built into the ongoing vendor management routine. When the certificate expires, no one is watching.
Stored in unconnected systems
The certificate gets stored in the contract repository or in a procurement folder. The vendor master, which tracks active vendors, has no link to the certificate status. There is no system that surfaces expiring certificates against active vendor relationships.
Ownership unclear
Procurement collected the original certificate. Legal may have the contract. Finance has the vendor master. Risk management may have policies about coverage levels. No one clearly owns the ongoing tracking, which means it does not happen.
Vendors do not proactively renew
Most vendors will provide a renewed certificate when asked. Few will provide a renewed certificate proactively. Without buyer initiated requests, the renewal cycle does not happen.
What the Risk Looks Like When Certificates Lapse
The risk of lapsed certifications varies by certification type, but the general patterns are predictable.
Insurance lapse during an incident
A vendor on the buyer's premises causes property damage or personal injury. The buyer's claim against the vendor turns out to be against an uninsured party. The damages either fall back to the buyer or remain unrecovered.
Security certification lapse during a breach
A vendor handling sensitive data experiences a security incident. The buyer's prior reliance on the vendor's SOC 2 attestation turns out to have been based on an expired certification. Liability questions become more complex.
Compliance attestation lapse during regulatory examination
A regulator examines the buyer's vendor management practices. Material vendors do not have current compliance evidence. The buyer's vendor management program is cited as deficient.
License lapse during work
A contractor performs licensed work (electrical, plumbing, construction) without a current license. The work may not comply with regulatory requirements. Permits and inspections may be jeopardized. The buyer may face fines or remediation costs.
Building the Tracking Discipline
Five components produce reliable certification tracking.
- Vendor master integration: certificate requirements and current status are linked to the vendor master record. Procurement, AP, and risk all see the certificate status when looking at the vendor.
- Defined refresh cadence: each certificate type has a defined renewal cadence. Annual for most insurance and compliance certifications. Biannual or triennial for some security certifications.
- Automated expiration alerts: as expiration dates approach, alerts route to the certificate owner with a defined timeline for refresh. 60 days, 30 days, and 15 days out are common alert points.
- Vendor request workflow: when a certificate is nearing expiration, an automated request goes to the vendor with the specific certificate needed and the deadline for return.
- Escalation when refresh fails: if the certificate is not provided by the deadline, escalation procedures kick in. This may include holding payment, suspending new orders, or in extreme cases reviewing whether the relationship should continue.
What the Process Looks Like
Practical implementation across a few vendor types:
General liability insurance for service vendors
Annual COI required. Sixty days before expiration, automated request sent to the vendor. New COI received and reviewed for coverage levels and certificate holder language. Stored in vendor master with expiration date updated. If not received by expiration, vendor flagged for follow up.
SOC 2 reports for SaaS vendors
Annual SOC 2 Type 2 expected. Ninety days before the report due date, request sent to the vendor. Report reviewed for control coverage and any qualifications. Stored and access controlled appropriately. Used in any annual vendor risk reassessment.
Workers compensation for contractors
Renewed annually with state required minimums. Sixty days before expiration, request sent. Coverage verified against state requirements. Stored against the contractor record. Active contractors without current coverage flagged for receiving and procurement attention.
The Procurement and Finance Handoff
Certification tracking sits between procurement, finance, and risk management. The handoff has to be defined for the process to work.
- Procurement defines the certification requirements during contract negotiation and collects the initial certificates
- The vendor master or contract management system tracks expiration dates and triggers renewal requests
- Procurement or a designated function manages the vendor request and certificate refresh process
- Finance maintains payment hold authority for vendors with expired certifications, as a control point
- Risk management defines the certification standards and reviews material certifications for adequacy
- Internal audit periodically tests the tracking discipline against the active vendor population
When these responsibilities are clear and named, the tracking discipline becomes sustainable. When they are diffuse, the discipline erodes regardless of how well the original tracking is set up.
The Risk That Most Audits Find
Internal auditors increasingly test certification tracking as part of vendor management reviews. The common findings:
- Active vendors with no current insurance certificates on file
- Certificates in the system but with expired dates
- Coverage levels below the levels required by the underlying contract
- Buyer not listed as certificate holder or additional insured as required
- Security certifications referenced in contracts but never collected
- No documented process for ongoing certificate renewal
Each finding individually is modest. Cumulatively they indicate a control weakness that has real exposure if any of the lapsed certifications becomes relevant. The remediation work is substantial but largely one time, after which the ongoing discipline can be maintained at modest effort.
Start Here
Pull a sample of 20 to 30 material vendors with contract requirements for insurance or certification. For each, check whether the current certificate is on file and not expired. The first time this is done, the gap is usually substantial.
From the diagnostic, the highest leverage one time fix is establishing the tracking system and the renewal request workflow. Even a simple spreadsheet with expiration dates and a defined refresh cadence dramatically improves the current state if the maintenance discipline is sustained.
