Reading a third-party Certificate of Analysis: what's missing from most labels

The COA as a sales document vs the COA as a technical document

When a contract laboratory or an in-house QC unit issues a COA, it is making a defined, documented claim: that a named batch of material met named limits when tested by named methods on a named instrument by a named analyst on a named date. The signature line at the bottom is a personal attestation. The form-fields above the signature are the evidence supporting it.

When that same COA arrives in a sales deck, the form-fields are summarized into a single line — "Tested at 99.2% purity" — and the signature is treated as a logo. Both versions of the document are the same paper, but the second version is not what the regulator or the underwriter or the diligence reader is looking at. They are looking at the form-fields, and what is missing from them.

Section-by-section: identification, methods, results, signatures

A defensible COA contains four identifiable blocks. The identification block names the material, the batch, the quantity tested, the date received, and the date tested. The methods block names the test methods by reference — a compendial method, a published validated method, or an in-house method with a documented validation file. The results block lists each parameter, its specification, the actual value, and the unit of measure. The signature block names the analyst and the reviewer, with dates and titles.

Reading a COA top to bottom, the question on each block is: would a reviewer outside this lab be able to reproduce the test from what is on this page? If the methods block says only "in-house HPLC method," the answer is no. If the results block says "complies with specification" with no numerical value, the answer is no. If the signature block lists only a name with no title and no date, the answer is no. A COA that fails this test is not necessarily wrong — but it is not, on its face, defensible.

The five red flags

In the last five years of reviewing third-party certificates for clients, the same five issues come up. They are not proof of fraud; they are proof of corner-cutting. Where they appear, deeper diligence is justified.

Red flag 1: missing accreditation number. A laboratory holding ISO/IEC 17025 accreditation lists its accreditation body and accreditation number on every COA within scope. A lab that lists accreditation as a logo on its letterhead but no scope-specific number on the COA may not actually be accredited for the test that was run.

Red flag 2: undated reference standard. Quantitative tests rely on reference materials with defined expiry. A COA that names a reference standard but not its lot number or expiry leaves the reader unable to confirm the test was run against a non-expired reference.

Red flag 3: "complies with spec" with no numerical results. A line that reads "Identity: complies" tells the reader nothing about the value at which it complied. The specification is a range; the result is a number. A COA that supplies only the verdict, not the number, is not auditable.

Red flag 4: methods named without revision. Compendial methods are revised on a regular cycle. A COA listing a compendial method name without the year of the revision used is making an attestation against a moving target. The revision year belongs on the COA.

Red flag 5: signature without title or date. The signatory is taking personal responsibility for the attestation. A signature without a title cannot be tied to a defined role; a signature without a date cannot be tied to a sequence of events. Both are required for the attestation to mean anything in a dispute.

What a real reviewer's annotated COA looks like

When we annotate a third-party COA for a client, the document comes back with three colors of marks. Green annotations confirm a section meets the standard above: accreditation number present, reference standard dated, results numeric. Yellow annotations flag a section that meets the standard but invites a clarifying question: an unusual specification range, a non-compendial method, an analyst whose name does not appear in the lab's published roster.

Red annotations flag the five red flags above and any numerical result that sits at the edge of its specification — within 5% of either limit. Sitting at the edge of a spec is not a failure, but it is a signal that the next batch may not pass; the supplier's process is operating closer to the boundary than is comfortable.

When to ask for a re-test vs walk away

A COA with one or two yellow flags and clean methodology is a re-test conversation. The reviewer asks the lab to clarify the flagged item, supplies the clarifying evidence, and the file is closed. A COA with three or more red flags, or with a result at the edge of spec on a critical parameter, is a walk-away conversation — or at minimum a request for an independent retest at a different accredited laboratory at the supplier's expense.

The deciding factor is usually not the COA itself but the supplier's response when asked. A supplier who produces the underlying instrument data, the method validation file, and the analyst's training record within 48 hours has demonstrated that the COA was backed by real records. A supplier who treats the request as an insult has demonstrated the opposite.

What this means for operators

• Read every COA as a technical document. The summary line in the sales deck is not what regulators or underwriters will read.
• Watch for the five red flags. Accreditation number, reference standard expiry, numerical results, method revisions, signature with title and date.
• Treat results at the edge of spec as signals. A pass at the boundary today is a fail next batch more often than not.
• Ask for the underlying records when it matters. A defensible supplier produces them quickly. A defensive one tells you about the answer.
• Keep the annotated copy. A reviewer's annotated COA is part of the file you would hand to a regulator if asked, and part of the file you would hand to your insurer if a claim were made.