How to Evaluate a Supplier COA — What to Look For
A certificate of analysis, or COA, is one of the most important documents in your supply chain. It is the supplier's representation that a specific lot of an ingredient or raw material meets defined specifications. But a COA is only useful if you know how to read it — and if you have specifications to compare it against.
Here is a practical framework for evaluating supplier COAs.
Start With the Basics — Does It Actually Match Your Lot?
Before reviewing any test results, confirm that the COA corresponds to the actual lot you received. Check that:
• The lot number on the COA matches the lot number on the physical product and the receiving documentation
• The product name and item code match your purchase order and internal specification
• The manufacturer or supplier name matches your approved supplier
• The COA is dated — and is not so old that it raises questions about whether it reflects the current lot
It sounds basic, but mismatched COAs are more common than you might expect — and they represent a genuine supply chain control failure.
Review the Test Parameters Against Your Specification
A COA reports results, but those results need to be compared against your specifications to be meaningful. For each parameter, ask: do we have an internal specification for this, and does the reported result meet it?
Common parameters to review include:
• Microbiological: aerobic plate count, yeast and mold, coliforms, Salmonella, Listeria, E. coli O157:H7 (depending on the ingredient and risk profile)
• Heavy metals: lead, arsenic, cadmium, mercury — particularly important for botanical ingredients, spices, and supplements
• Moisture and water activity: relevant to shelf life and microbiological safety
• Allergen testing: if the ingredient is manufactured in a facility that also handles allergenic materials
• Physical and chemical: pH, particle size, viscosity, or other parameters relevant to your formulation
Evaluate the Testing Methodology
Not all test methods are equivalent. Where possible, confirm that the testing was conducted using recognized methods — AOAC, USDA, FDA BAM, or other validated methods. A COA that lists results without specifying the test method is less defensible than one that identifies the methodology used.
For critical parameters, consider whether third-party testing is appropriate in addition to the supplier's own testing. Supplier-generated COAs are a starting point, not necessarily the final word.
Check for Allergen Statements
If your product has allergen controls — and under FSMA Preventive Controls it should — the COA should be accompanied by or supplemented with allergen documentation. This typically includes a statement of allergens present in the ingredient itself, as well as allergens present in the manufacturing facility that could result in cross-contact.
A COA that is silent on allergens is not an allergen clearance. Make sure your supplier qualification process includes explicit allergen documentation, not just test results.
Red Flags to Watch For
• Results that are identical across multiple lots — this can indicate that the supplier is reusing a COA rather than testing each lot
• Results that are suspiciously close to the specification limit every time
• A COA with no testing date, no lot number, or no accreditation information for the laboratory
• Parameters that are missing entirely from a COA for an ingredient you know carries a relevant risk
• A supplier who is reluctant to provide COAs or who provides them only after significant follow-up
Practical tip: Build a COA review checklist into your receiving process. It does not have to be complex — but having a documented, consistent process ensures that COA review is actually happening and creates a record that it was done.
Bottom Line
A COA is a tool, not a guarantee. Its value depends entirely on what you compare it against and how rigorously you review it. Strong ingredient specification programs, a supplier qualification process, and consistent COA review practices are the foundation of a defensible supply chain.
Have questions about your facility's compliance needs? I offer a free initial consultation. Reach out at jeremycarter@woypc.com or visit the Contact page to get started.
