What is a certificate of insurance (COI) and what should AP check on one?

Risk-based: vendors who perform physical work on your premises, transport goods, do construction, or whose failure creates liability for you. A software vendor rarely needs one; a contractor on your roof always does. Set minimum limits by category in policy - and require your company be named additional insured so their policy actually responds to claims arising from their work.

Move the documents onto the vendor record itself, with expiration dates that drive automatic alerts and - where possible - payment holds when coverage lapses. The spreadsheet fails because nobody watches it; the fix is making expiration an enforced attribute of the vendor, so a lapsed COI surfaces at payment time instead of after an uninsured incident.

It means your company is added as a covered party under the vendor's policy, so that policy responds directly to claims arising from the vendor's work - rather than you suing the vendor and hoping they're solvent. Without additional-insured status, a vendor's certificate proves *they're* covered, not that *you're* protected. It's the difference between evidence and actual protection.

Construction and trades need general liability, workers' comp, and often auto and umbrella at high limits; on-site service vendors need general liability and workers' comp; transportation needs auto liability and cargo; professional services need E&O. Limits scale with the risk and the contract - set them by category in policy rather than negotiating each one from scratch.

Layered and sequenced: collect COI (with additional insured and waiver of subrogation), verify active trade licenses, track certified payroll on prevailing-wage jobs, and sequence lien waivers against payments (conditional with the pay application, unconditional after the payment clears). The expirations matter as much as the collection - a lapsed sub's COI mid-project is a serious exposure.

Default to blocking if your policy ties payment to compliance and the work carries real liability - paying an uninsured contractor defeats the control's purpose. The pragmatic exception: a brief, documented grace with management sign-off while the renewal is in hand. But "pay and chase" routinely becomes "pay and forget," which is exactly how uninsured exposure accumulates.

For categories where insurance is a genuine risk control, yes - automatic payment holds tied to document expiration enforce the policy without relying on someone remembering to check. Automation makes the control consistent; manual enforcement makes it occasional. Reserve hard blocks for documents that actually matter (COI for on-site work) so the control stays credible.

Push back - a COI naming the wrong holder may not protect you at all, and limits below your contractual minimum mean you're carrying uncovered risk. Request a corrected certificate before activating or paying for the work. Accepting a deficient COI is accepting the gap it represents.

OIG/SAM exclusion checks (you generally can't pay federal-program dollars to excluded parties), HIPAA business associate agreements for any vendor touching protected health information, and relevant facility/professional licenses. These are compliance obligations with real penalties, not nice-to-haves - screen at onboarding and re-screen periodically.

If your AP/vendor system can store documents, track expirations, alert on lapses, and block payment on non-compliance, you likely don't need a separate tool - keeping compliance on the vendor record where payment happens is cleaner. Dedicated COI tools earn their place at high subcontractor volume, complex additional-insured verification needs, or when a third party must collect on your behalf.

Risk, legal, or procurement typically sets the requirements (what coverage, what limits); AP enforces them at the payment gate (no current COI, no payment, where policy dictates). The clean division: someone defines compliance, AP makes it consequential by tying it to disbursement. Without the payment-time enforcement, the requirements are aspirational.

Stampli lets customers collect compliance documents like insurance certificates and licenses during onboarding, attached to the vendor record alongside tax forms with a full interaction history. Customers define what makes a vendor "payable," so if a mandatory document is missing or expired, invoices or payments can be automatically blocked - moving compliance enforcement from a manual spreadsheet check to a control that fires where the money moves.