Certificate of Analysis (COA) for Food Manufacturers

Certificate of Analysis (COA) for Food Manufacturers

A Certificate of Analysis (COA) is a document issued by a manufacturer or accredited laboratory confirming that a specific batch or lot of product was tested against defined specifications and met them. In food manufacturing, a COA accompanies each lot of raw material, ingredient, or finished product and provides the laboratory evidence required by FSMA, SQF, BRCGS, and FSSC 22000.

For food safety and quality professionals, the COA is one of the most important documents in your receiving and supplier management workflow. It is the paper trail that confirms what you ordered is what arrived, and that it meets the safety and quality specifications your food safety plan requires.

This guide covers everything food manufacturers need to know about certificates of analysis: what they must contain, how to read one, what your regulatory and certification obligations actually say, and how to build a COA review workflow that holds up in an audit.

What Is a Certificate of Analysis (COA)?

A Certificate of Analysis (COA) is a document issued by a manufacturer or accredited laboratory confirming that a specific batch or lot of product was tested against defined specifications and met them. In food manufacturing, a COA accompanies each lot of raw material, ingredient, or finished product and provides the laboratory evidence required by FSMA, SQF, BRCGS, and FSSC 22000.

In plain terms, a COA answers three questions: what was tested, what were the results, and did the lot pass? Every COA covers a specific lot or batch, not a product in general. A COA that applies to "all lots of Product X" is not a valid COA.

What's on a food-industry COA:

• Product or material identification (name, internal code, supplier code)
• Lot or batch number, manufacturing or harvest date, expiration or best-by date
• Tested parameters (chemical, physical, microbiological, allergen)
• Numerical test results against specification limits
• Test methods used for each parameter
• Lab accreditation details (ISO/IEC 17025 scope, FDA LAAF status if applicable)
• Statement of conformity and authorized signature

Who issues a COA:

A COA can come from three sources: the supplier's in-house QC lab, a third-party accredited laboratory contracted by the supplier, or your own in-house QC lab after receipt testing. The trust hierarchy between these three matters and is covered in detail later in this guide.

Why a COA Matters: Regulatory and Business Case

The COA is the most commonly used piece of evidence to release a lot from receiving hold and move it into production. Without it, you are making a release decision with no documentary evidence that the lot meets spec. That creates a liability gap in your food safety plan, a problem in your certification audit, and a gap in your recall defense file.

Receiving Inspection, Hold-Until-Released, and the Food Safety Plan

Your food safety plan almost certainly includes a receiving inspection procedure. That procedure requires you to verify, for each incoming lot of a hazard-relevant raw material, that the supplier controlled the identified hazard. A COA is the most common documented verification that the supplier did exactly that.

Without a COA on file, a lot cannot be demonstrated to have met specification at the time of release. In an audit or a recall investigation, "we trusted the supplier" is not a defensible answer. A COA is the documented answer.

Supplier Verification and Supplier Approval

Your supplier approval program defines which suppliers are approved, what verification activities apply to each, and how often those activities are performed. For most approved suppliers of food ingredients, lot-by-lot COA review is the standard ongoing verification activity, supplemented by periodic supplier audits or third-party testing.

A COA also feeds your supplier scorecard. If a supplier's COA results are trending toward the specification limit over successive lots, that is early warning data. Without COA trending, you miss the signal until the out-of-spec lot arrives.

Recall Defense and Audit Readiness

In every recall investigation and every GFSI certification audit, COAs are among the first records pulled. Auditors want to confirm that you received a COA for each lot of each raw material covered by your supplier verification program, that you reviewed it against specification, and that you retained the record.

COAs that can be retrieved by lot number, supplier, and date in under five minutes are the audit-ready standard. COAs buried in email folders are not. The Codex Alimentarius General Principles of Food Hygiene (CXC 1-1969) reinforces this foundational principle: food businesses must verify that raw materials and ingredients meet established specifications before use.

COA Obligations Under FSMA and the Supply-Chain Program

No competitor result in the current SERP cites this regulation for food COAs. FSMA's preventive controls rule is the U.S. legal foundation for food-industry COA review obligations, and it is specific.

21 CFR 117.410: The Supply-Chain Program in Plain English

Under the FSMA Final Rule for Preventive Controls for Human Food, a receiving facility that identifies a hazard requiring a supply-chain-applied control must have a supply-chain program. That supply-chain program must include verification activities for each approved supplier that are appropriate to the hazard and the supplier's performance history.

21 CFR 117.410 explicitly lists COA review as an accepted verification activity. The verification activity you select must be appropriate to the nature of the hazard and the likelihood and severity of the hazard if not controlled. For a supplier of a pathogen-controlled ingredient, COA review alone may not be sufficient. For a supplier of a chemical-parameter-controlled ingredient with a strong audit history, lot-by-lot COA review is a reasonable and defensible choice.

Supplier Approval and COAs as Verification Evidence

21 CFR 117.420 requires that the supplier verification activities are actually carried out before the raw material or ingredient is used. That means the COA must be received and reviewed before the lot is released into production, not after the fact.

The documentation of that review must be retained per 21 CFR 117.475. Your COA review record needs to show who reviewed it, when, and what the release decision was. A COA sitting in a shared drive with no review record attached does not meet this standard.

COAs for Imported Ingredients Under FSVP

If you import food ingredients from foreign suppliers, the FSMA Foreign Supplier Verification Programs (FSVP) Final Rule imposes additional obligations. FSVP importers routinely use COAs as part of their verification activities for foreign suppliers, typically combined with periodic facility review or third-party audits. COA review under FSVP must be documented and records must be retained for at least two years.

USDA-Regulated Products and COA Expectations

For meat, poultry, and egg facilities regulated under USDA FSIS HACCP regulations (9 CFR Part 417), the logic is the same. COAs for ingredients and packaging materials are standard evidence for ingredient release decisions under HACCP. FSIS inspectors expect to see documented verification that incoming materials meet specification before they enter the process.

COAs and FSMA 204 Key Data Elements

The FSMA Final Rule on Requirements for Additional Traceability Records (Rule 204) requires covered businesses to capture and maintain Critical Tracking Event (CTE) data with Key Data Elements (KDEs) including lot code, source supplier identifier, and date. Enforcement ramps up in 2026.

A well-constructed COA already carries the data points FSMA 204 requires. The lot or batch number, the supplier name and location, and the production or harvest date are all standard COA fields. The problem for most facilities is that these data points are not being formally linked to the receiving record and inventory tracking system at the time of COA review.

If you design your COA receipt workflow so that the lot number on the COA is verified against the shipping document, the PO, and the inventory tag, and then the COA is filed against the lot in your QMS, that COA becomes a primary FSMA 204 traceability rule record. For more on building a traceability-ready receiving workflow, see our guide to food traceability.

The FSMA Final Rule on Requirements for Additional Traceability Records covers foods on the Food Traceability List, including leafy greens, tomatoes, peppers, cucumbers, melons, tropical tree fruits, herbs, sprouts, finfish, crustaceans, molluscan shellfish, shell eggs, and nut butters. If you receive any of these as raw materials, your COA management workflow is now also a FSMA 204 compliance workflow.

How GFSI-Benchmarked Schemes Define COA Expectations

GFSI-benchmarked certification schemes (SQF, BRCGS Issue 9, FSSC 22000 v6, and ISO 22000:2018) all impose documented expectations around supplier verification and raw material conformance. COA review is the standard evidence used to satisfy these requirements across all four schemes.

For background on GFSI Recognition and Benchmarking, the common thread across all benchmarked schemes is the requirement to verify that raw materials and ingredients conform to specification before use. COA review is the primary mechanism.

SQF Raw Material and Supplier Specification Clauses

The SQF Food Safety Code for Food Manufacturing requires that raw materials and ingredients conform to documented specifications, and that supplier performance is monitored on an ongoing basis. COA review is the most common ongoing monitoring activity for approved suppliers. SQF auditors specifically look for evidence that COAs are received for each lot, reviewed against spec, and retained. For a full breakdown of what SQF requires at audit, see our SQF certification complete guide.

BRCGS Issue 9: Supplier and Raw Material Clauses

The BRCGS Global Standard for Food Safety Issue 9 addresses COA requirements through two key clauses. Clause 3.5 covers supplier approval and performance monitoring. COA review is listed as an acceptable ongoing monitoring method, and the standard requires it to be documented. Clause 5.4 (raw material and packaging specifications) requires that specifications are in place and that incoming materials are verified against them. A COA is the standard verification record.

BRCGS auditors frequently cite non-conformances where COAs are present but not reviewed against the documented specification, or where COAs are received for some lots but not all. Both are audit failures. For a full walkthrough of BRCGS requirements, see our guide to BRCGS certification requirements.

FSSC 22000 v6 and ISO 22000:2018: Externally Provided Products

The FSSC 22000 Scheme v6 is built on ISO 22000:2018. Clause 7.1.6 (externally provided processes, products, and services) requires organizations to determine and apply criteria for evaluation and selection of external providers. Clause 8.5.3 (control of externally provided processes, products, and services) requires documented verification that externally provided items conform to requirements before use.

A COA reviewed against a documented specification is the standard evidence for both clauses. FSSC 22000 v6 auditors expect to see a closed loop: you have a specification, the COA references the specification fields, you reviewed the COA before release, and the record is retained. For more on the FSSC 22000 v6 changes and what they mean for your supplier program, see our guide to FSSC 22000 version 6 requirements.

COA Requirements Across Food Safety Schemes

What Goes on a Food-Industry COA (Field-by-Field)

This section covers what a complete food-industry COA must contain. Use this as a checklist when evaluating your own COAs or setting expectations with new suppliers.

Identification Block

Every food COA should start with a clear identification block that ties the document unambiguously to a specific lot:

• Supplier name and manufacturing site address
• Material or product name and internal material code
• Supplier product code or catalog number
• Lot or batch number (must match the physical label on the product)
• Production or harvest date and expiration or best-by date
• Purchase order or sales order reference
• COA issue date and document number

If the lot number on the COA doesn't match the lot number on the bag tags, pallet label, or shipping document, stop the review. That mismatch is the most common COA red flag and the one that most receiving teams skip under time pressure.

Test Parameters and Results

The core of the COA is the test results table. For a food ingredient, this typically covers:

• Chemical parameters: moisture, pH, water activity (aw), fat, protein, ash, salt or sodium, preservative levels, heavy metals (lead, cadmium, arsenic, mercury) where applicable
• Physical parameters: particle size, color (L/a/b or Minolta), viscosity, density, foreign material screen results
• Microbiological parameters: aerobic plate count (APC), total coliforms, E. coli, Salmonella (25 g composite), Listeria monocytogenes, yeast and mold
• Allergen declaration: statement of allergens present, processed in proximity to, or absent, covering the Big 9 (milk, eggs, fish, shellfish, tree nuts, peanuts, wheat, soy, sesame)
• Pass/Fail or Within Spec/Out of Spec judgment for each parameter

Each tested parameter needs a numerical result (not just "Pass"), the specification limit, and the unit of measure. A COA that only shows "Compliant" without numerical data is not useful for trending and doesn't support a defensible specification review.

Test Methods and Method Validation

Every tested parameter on a food COA should identify the test method used. This matters because different methods can produce different results for the same parameter, and comparisons across lots or suppliers are only meaningful if the same method is used consistently.

Standard method references to look for include AOAC Official Methods of Analysis (OMA) method numbers, ISO method numbers (e.g., ISO 4833 for APC), USDA FSIS test methods, and USP or Food Chemicals Codex methods for ingredient purity. If a supplier lists "internal method" for a critical parameter with no method ID, flag it. You cannot evaluate whether an internal method is validated or appropriate.

The AOAC Official Methods of Analysis Program sets the consensus standard for food testing methods in the U.S. When a COA cites an AOAC OMA method number, the result is tied to a validated, peer-reviewed methodology that regulators and auditors recognize.

Lab Accreditation Block

A complete food COA includes documentation of the lab's accreditation status:

• Lab name and address (not just the supplier's name)
• ISO/IEC 17025:2017 accreditation number and accreditation body name
• Scope of accreditation (the specific tests and matrices covered)
• FDA LAAF accreditation status where applicable

ISO/IEC 17025:2017 is the international gold standard for testing laboratory competence. Accreditation confirms that the lab has validated methods, calibrated equipment, qualified personnel, and documented quality systems. The scope matters: a lab can be ISO/IEC 17025 accredited for water chemistry and not accredited for Salmonella testing in dried egg powder. Always confirm the scope covers the specific test and matrix on the COA.

The FDA Laboratory Accreditation for Analyses of Foods (LAAF) Program recognizes accreditation bodies whose accreditations meet FDA's requirements for specific food testing scenarios. LAAF-recognized lab accreditation is an additional trust signal on a food COA.

Statement of Conformity and Signatory

A complete food COA closes with a formal statement that the lot conforms to the agreed specification, signed by an authorized individual. The signatory should be identified by name and title, not just initials. The signature date should match or post-date the test completion date. A photocopied signature used repeatedly across COAs from the same supplier is a red flag.

How Food COAs Differ from Pharmaceutical Batch-Release COAs

If you source ingredients from nutraceutical, vitamin, or supplement suppliers, you may receive pharmaceutical-style COAs. Under 21 CFR 211.165, pharmaceutical CGMPs require verification of the identity and strength of each active ingredient before distribution. The regulatory frame is 21 CFR Part 211, not FSMA.

Pharmaceutical COAs tend to include identity testing and purity assays that go beyond standard food COA content. They are typically more rigorous, but they are designed for a different regulatory context. You can use a pharma-style COA as food COA evidence, but confirm it covers the food-relevant parameters your specification requires, including allergens, microbiological parameters, and food-relevant contaminants, not just pharmaceutical identity and purity fields.

How to Read a Food COA: A Worked Example

This walkthrough uses an anonymized but realistic example of a food-ingredient COA review. No food-safety guide currently in the top search results does this for a food ingredient. Alliance Chemical does it for chemical COAs. Cannabis Workforce Initiative does it for cannabis COAs. Here is what it looks like for a food ingredient.

Scenario: A 25 kg lot of dehydrated whole egg powder from an approved supplier arrives for use in a ready-to-eat bakery formulation. The receiving QC technician pulls the COA from the supplier portal before releasing the lot.

Step 1: Identification check

Confirm the lot number on the COA (Lot: DEP-2024-1178) matches the lot number on the bag tag (DEP-2024-1178) and the bill of lading. Confirm the production date (March 14, 2024) is within the expected manufacture window for this PO. Both match. If they didn't, the lot goes on hold pending clarification. Mismatched lot numbers are the most common COA red flag and the one most receiving teams skip under time pressure.

Step 2: Spec check, parameter by parameter

Work through each parameter against your approved specification for this material:

Confirm the allergen declaration matches what your bill of materials expects. An egg powder that also declares peanuts processed on shared equipment would need to be reviewed against your allergen management plan before release.

Step 3: Method check

The Salmonella result is tested per AOAC OMA 2014.05, a validated method. The moisture result lists "AOAC 930.15," also a recognized method. If a parameter has no method reference, or lists "internal method" without a validation number, note it as a finding and contact the supplier for clarification. You don't need to reject the lot immediately, but you need a documented method ID to complete the review.

Step 4: Lab accreditation check

The COA identifies the testing lab as "Pacific Rim Analytical Services, Accreditation No. L-12847, A2LA." Confirm A2LA's accreditation scope for this lab includes Salmonella detection in dried egg products. A2LA scope information is publicly searchable. Scope confirmed.

Step 5: Signatory check

The COA is signed by the supplier's QA Manager (name visible), dated March 18, 2024, which post-dates the test completion on March 16, 2024. The signatory is consistent with previous COAs from this supplier. No concerns.

Step 6: Release decision

All parameters pass. The COA is filed against Lot DEP-2024-1178 in the QMS, linked to the PO, the receiving record, and the inventory lot. The lot is released into production. For more on what your testing programs should cover across ingredient categories, see our guide to essential food safety testing methods.

How to Tell If a COA Is Trustworthy

A COA is only as reliable as the lab that produced it and the process that issued it. This section covers how to evaluate both.

Lab Accreditation Signals on a COA (ISO 17025, LAAF)

ISO/IEC 17025:2017 accreditation is the signal that the lab has third-party-verified competence for the tests it performs. When you see an ISO/IEC 17025 accreditation number on a COA, your next step is to verify the accreditation scope. Most major accreditation bodies (A2LA, ANAB, Perry Johnson, PJLABS) have publicly searchable scope databases. Accreditation scope confirms which tests, which matrices, and which detection limits are covered.

The FDA LAAF Program recognizes specific accreditation bodies for food testing. LAAF recognition adds another layer of assurance that the accreditation body itself meets FDA's standards. When a COA comes from a LAAF-recognized lab, it carries the strongest lab-level signal available on a food COA.

Test Method Validation and AOAC OMA References

The test method on a COA tells you how the result was produced. When a COA cites an AOAC Official Methods of Analysis Program method number, the result is tied to a consensus methodology that has been validated for the specific matrix and analyte. AOAC OMA methods are referenced in U.S. CFR and Codex and are the default defensible choice for food testing.

When a method isn't cited or is listed as "internal," ask the supplier to provide the method ID and validation summary. A supplier that can't or won't document the test method for a critical parameter is worth scrutinizing more closely.

Supplier-Issued vs Third-Party vs In-House COAs: A Trust Hierarchy

Not all COAs carry the same weight. Here is how to think about the three sources:

Third-party accredited lab COA: The strongest independent evidence. The lab has no financial relationship with the outcome and its methods are independently validated. This is the standard for high-hazard materials or new suppliers without an audit history.

Supplier-issued COA from supplier's own lab: Acceptable for approved suppliers with a strong audit history and consistent COA results over time. Acceptance should be paired with periodic third-party verification testing under your supplier approval program to confirm the supplier's in-house results are accurate.

In-house COA (your own lab): Highest control, but requires that your lab has validated methods for the parameters you are testing. This is common for finished-product release testing before distribution.

The decision about which COA type to require should be documented in your supplier verification program and calibrated to hazard severity and supplier history. Use your supplier quality management tools to track COA types by supplier and flag when a high-hazard supplier is only providing in-house COAs.

COA Red Flags and Fraud Indicators

Food COA fraud is more common than most quality teams expect. Typical fraud patterns include copying results from a previous COA onto a new document, using a generic lab header without a real accreditation number, and issuing COAs with results implausibly close to round numbers across every lot. Watch for:

• Identical numerical results across multiple lots ("ghost COAs"), especially for microbiological parameters
• Lot numbers on the COA that don't match the physical label or shipping document
• Specification limits on the COA that don't match your approved specification for that material
• Missing method references or "internal method" with no method ID for critical parameters
• No accreditation logo or scope reference on third-party lab results
• Templated or photocopied signatures, or signatures that differ between COAs issued on the same day
• COA issue dates that pre-date the production date on the same document

Any of these should trigger a hold and a formal supplier escalation. For a documented escalation process, see how to use a supplier corrective action request (SCAR) when a COA fails your review criteria.

COA Review SOP: A Step-by-Step Receiving Workflow

A documented COA review procedure is what SQF, BRCGS, and FSSC 22000 auditors want to see. Here is a practical step-by-step workflow you can adapt to your facility.

Step 1: Receive the COA before or with the shipment

The COA should arrive before the truck backs up to the dock, either through your supplier portal, by email, or attached to the delivery paperwork. If a COA is not available at receipt, the lot goes on hold until it arrives. Don't release lots and then review the COA afterward.

Step 2: Confirm the COA matches the shipment

Verify the lot number on the COA against the bag tag, pallet label, purchase order, and bill of lading. Confirm the product name, supplier, and quantity match. Any discrepancy between the COA and the physical shipment is cause for hold.

Step 3: Run the five-point review

Check identification (lot number match), spec compliance (all parameters within limits), method references (known validated methods for each critical parameter), lab accreditation (ISO/IEC 17025 scope confirmed for the relevant tests), and signatory (named individual, dated, consistent with previous COAs from this supplier).

Step 4: Document the review

Record who reviewed the COA, the date and time of review, and the release decision (Release, Hold, or Reject). A digital record with a user-stamped timestamp is the audit-ready standard. Initialing a paper COA and filing it in a binder is acceptable but creates retrieval problems at audit.

Step 5: Release, hold, or reject

Release the lot and file the COA against the lot in your QMS. If parameters are out of spec or the COA fails a red-flag check, place the lot on hold and initiate your non-conforming material procedure. If the COA cannot be produced within your receiving hold window, reject the lot.

Step 6: File the COA against the lot

The COA must be retrievable by lot number, supplier, material, and date. In a recall, you will need to pull every COA for every lot of every affected ingredient used in the recalled product within 24 hours. If your COA filing system can't do that, it is a recall readiness gap.

Step 7: Trend COA data across lots

Track COA pass/fail rates by supplier and flag parameters that are trending toward specification limits. This is the supplier scorecard input that lets you catch a deteriorating supplier before an out-of-spec lot arrives. Understanding how COA data fits into your broader quality program is covered in our guide to food quality control vs quality assurance.

Allera's document control and supplier modules make COA review the default, not the exception. See how document control software for compliance keeps your COA review procedure current and accessible at every receiving station.

Food-Industry COA Template: What to Include

Most COA templates available online are designed for pharmaceutical batch release or laboratory chemical applications. They don't include fields for food-specific parameters like allergen declarations, pathogen testing, foreign material screening, or FSMA 204 lot traceability data. A food-industry COA template requires a different structure.

Here is what a complete food-industry COA template should include, organized by block:

Header block

• COA document number and version
• Issue date
• Supplier name and manufacturing site
• Receiving facility name

Material identification

• Material name and internal material code
• Supplier material or catalog code
• Country of origin

Lot identification (FSMA 204 KDE fields)

• Lot or batch number
• Harvest or production date
• Source supplier identifier (FDA-defined KDE)
• Traceability lot code where applicable

Test results blockEach parameter row should include: parameter name, test method (AOAC OMA number or equivalent), numerical result, specification limit, unit of measure, and Pass/Fail judgment.

Food-specific fields

• Allergen statement: declared allergens present, present on shared equipment, and absent (covering Big 9 plus sesame)
• Pathogen testing summary: organism, sample plan (e.g., n=5, c=0), result
• Foreign material screen: metal detection result, sieve or screen result
• GMO status: Non-GMO, GMO, or Not Tested
• Kosher, Halal, or Organic certification reference and certificate number where applicable

Lab accreditation block

• Testing lab name and address
• ISO/IEC 17025 accreditation number and body
• LAAF recognition status where applicable
• Scope confirmation for each critical test

Signatory block

• QA Manager or Lab Director name and title
• Signature
• Date of authorization

This structure satisfies the field requirements expected under SQF, BRCGS Issue 9, FSSC 22000 v6, and FSMA 21 CFR 117.410, while including the FSMA 204 KDE fields that will be required under 2026 enforcement.

COA Software vs Spreadsheets: When to Upgrade

Where Email and Spreadsheet COA Management Breaks Down

Most food facilities start with some combination of a shared inbox and a spreadsheet for tracking supplier COAs. That approach breaks down in predictable ways. COAs get buried in email threads or the inbox of an employee who has left the company. Manual lot matching means someone is hand-checking every PO number against every COA. Spec comparison is done by eye, which creates the risk that a marginal out-of-spec result gets released because the reviewer missed it.

When an auditor asks for the COA for Lot X of Ingredient Y from Supplier Z for the production run on a specific date, the answer in an email-based system is "let me search my inbox." That is not audit-ready. At scale, the problem compounds: facilities managing dozens of approved ingredients from dozens of suppliers can receive hundreds of COAs per month. Spreadsheet tracking cannot keep pace with that volume and provide the lot-level linkage that recall readiness requires.

What to Look for in COA Management Software

Purpose-built supplier management software for food manufacturers should handle:

• A supplier-facing portal where approved suppliers upload COAs against specific POs or lot numbers
• Automated spec-to-result comparison that flags out-of-spec or near-spec results before the lot is released
• Lot-linked storage so every COA is retrievable by lot number, supplier, material, date, and PO in seconds
• Supplier scorecarding with COA on-time delivery rates and pass/fail history by parameter
• FSMA 204 traceability lot code linkage so the COA functions as a formal traceability record
• Version-controlled specification management so the spec the COA is reviewed against is always the current approved version

For a broader look at how supply chain software for food manufacturers supports supplier verification beyond COA management, see our dedicated guide.

Allera's food supplier and quality platform centralizes COA collection, auto-compares results to specification, and links each COA to the lot for recall and audit, without spreadsheets or inbox archaeology. Learn more at our food quality management software page.

COA FAQ: Certificate of Analysis for Food Manufacturers

Q: What is in a Certificate of Analysis?

A: A Certificate of Analysis contains the product or material identification (name, lot number, production date), test results for all tested parameters against specification limits, test methods used, the lab's accreditation information, and a statement of conformity signed by an authorized individual. In food manufacturing, a complete COA also includes an allergen declaration, pathogen test results, and any relevant certification statuses (Kosher, Halal, Non-GMO, Organic).

Q: How do I get a Certificate of Analysis?

A: You request a COA from your supplier for each lot of raw material or ingredient you receive. Most approved suppliers provide COAs through a supplier portal, by email with each delivery, or attached to the delivery paperwork. If you are having ingredients tested at a third-party lab, the lab will issue the COA directly. For your own finished products, your in-house QC lab or a contracted third-party lab issues the COA before you release product for distribution.

Q: What is the difference between a COA and a Certificate of Conformance (CoC)?

A: A Certificate of Analysis (COA) contains actual test results and numerical data proving that a specific lot was tested and met specification. A Certificate of Conformance (CoC) is a supplier declaration that the product conforms to the agreed specification, but typically contains no test data. In food manufacturing, a CoC alone is generally not sufficient for FSMA supply-chain program compliance or GFSI certification audits. Auditors want to see the actual test data, not just a declaration.

Q: What are the requirements of a Certificate of Analysis?

A: A food-industry COA must at minimum identify the specific lot or batch, list all tested parameters with numerical results and specification limits, cite the test method for each parameter, identify the testing laboratory and its accreditation, and include a signed statement of conformity. Under FSMA 21 CFR 117.410, the content of the COA must be appropriate to the hazard being verified. Under BRCGS Issue 9 and SQF, the COA must demonstrate conformance to the documented material specification on file.

Q: Are COAs required by FSMA?

A: FSMA does not mandate a COA by name, but 21 CFR 117.410 requires supplier verification activities appropriate to the hazard, and COA review is explicitly listed as an accepted verification activity. The practical effect for most FSMA-regulated food facilities is that lot-by-lot COA review is the standard documented verification method for approved ingredient suppliers. See our guide to FSMA compliance software for more on building a compliant supply-chain program.

Q: Do I need to keep COAs for SQF, BRCGS, or FSSC 22000 audits, and for how long?

A: Yes. All three schemes require records of supplier verification activities, and COAs are the primary record. FSMA requires a minimum two-year retention period under 21 CFR 117.475. BRCGS Issue 9 requires records sufficient to demonstrate compliance, typically three years plus the product shelf life. SQF and FSSC 22000 retention requirements are similar. The safe default is to retain COAs for the product shelf life plus three years, or as long as required by the most stringent regulation or scheme that applies to your facility.

Q: Can I rely on a supplier-issued COA, or do I need to test in-house?

A: It depends on the hazard, the supplier's history, and your scheme requirements. For high-hazard materials (ready-to-eat ingredients with a Salmonella or Listeria hazard, allergen-containing materials), periodic third-party verification testing is strongly recommended even for long-approved suppliers. BRCGS Issue 9 specifically requires that you periodically verify supplier COA results through independent testing. For lower-hazard materials from suppliers with consistent audit results, supplier-issued COAs reviewed against specification are generally sufficient as the ongoing verification activity.

Q: What does ISO/IEC 17025 accreditation on a COA actually mean?

A: ISO/IEC 17025:2017 accreditation means the testing lab has been assessed by an independent accreditation body against an international standard for laboratory competence. It confirms that the lab has validated test methods, calibrated and maintained equipment, qualified and trained staff, and a documented quality management system. Critically, the accreditation covers specific tests on specific matrices, and the scope is publicly verifiable. If a COA shows an ISO/IEC 17025 accreditation number, always confirm the scope covers the specific test in the specific matrix before treating it as accredited testing.

Q: What if a COA result is out of specification?

A: Place the lot on hold immediately. Do not release it into production. Initiate your non-conforming material procedure and issue a supplier corrective action request (SCAR) to the supplier. The SCAR should request root cause analysis, corrective action, and preventive action to stop recurrence. Depending on the hazard severity, you may need to notify your food safety team, perform additional testing on retained samples, or reject and return the lot. Document everything, including the hold decision, the SCAR, and the final disposition of the lot.

Q: How does a COA support FSMA 204 traceability records?

A: The FSMA 204 Final Food Traceability Rule requires certain businesses to capture Critical Tracking Event (CTE) data including the lot code, source supplier identifier, and date for covered commodities. A food COA already carries all three data points. If your receiving workflow links the COA to the incoming lot in your inventory system by lot number, the COA becomes a primary FSMA 204 traceability record. The key is ensuring the lot number on the COA matches the lot identifier in your inventory tracking system, so the data can be retrieved and linked in a 24-hour traceability exercise. See our detailed guide to the FSMA 204 traceability rule for more.