How to Read a Certificate of Analysis (CoA): 9 Checks Before You Accept a Lot

A Certificate of Analysis is often treated as a formality—something to file so material can move. In reality, it is one of the highest‑leverage quality control points you have at receiving.

Regulators are explicit that you remain responsible for the quality of incoming materials, even when you rely on supplier data. In the U.S., manufacturers must perform at least one specific identity test on each lot and may only rely on a supplier’s CoA for other tests if the supplier’s reliability has been established and periodically verified .
For APIs, ICH Q7 requires that CoAs list tests performed, acceptance limits, results, and be signed by authorized quality personnel, with appropriate batch identification and dating .
In the EU, GMP Chapter 5 allows use of a supplier CoA only when the supplier is approved, the CoA is appropriately authorized, and the manufacturer periodically performs full analyses to confirm reliability .

The checklist below turns those expectations into nine practical checks you can run before accepting a lot.

What a CoA is—and what it is not

• Is: Evidence of testing performed against a defined specification by the manufacturer or an authorized testing site.

• Is not: A substitute for required incoming identity testing, supplier qualification, or ongoing verification of data reliability.

The 9 Checks Before You Accept a Lot

1) Supplier identity, site, and CoA authenticity

Check

• Legal manufacturer name and address

• Manufacturing site (if different)

• Unique CoA number, issue date

• Signature (or secure electronic signature) from authorized Quality personnel

Why it matters
ICH Q7 and EU GMP both expect CoAs to be issued and authorized by Quality; unsigned or ambiguously authorized documents are a red flag .

Common issues

• Trading company listed instead of manufacturer

• Missing or generic signatures

• Reused CoA numbers across lots

2) Material identification matches your system

Check

• Material name and grade

• Internal material code or customer reference (if used)

• Compendial designation (if applicable)

• Match to PO, label, and receiving record

Why it matters
Mis‑matched identifiers are a common root cause of mix‑ups and rejected lots—especially when suppliers make multiple grades or forms.

3) Lot/batch identifiers and dates

Check

• Batch/lot number consistency across CoA, label, and shipping docs

• Manufacture date (if provided)

• Release date

• Retest or expiry date (as applicable)

Why it matters
ICH Q7 expects appropriate batch identification and dating on CoAs, including retest/expiry where used for APIs .

4) Correct specification and revision

Check

• Specification ID and revision/date referenced on the CoA

• All required tests are present (none missing, none unexpected)

Why it matters
A CoA against the wrong spec—or an outdated revision—invalidates the result, even if every value is “in spec.”

5) Results versus acceptance criteria (with units)

Check

• Each test lists an acceptance criterion and a result

• Units are correct and consistent with your spec

• Numeric results are provided where required (not only “Pass”)

Why it matters
ICH Q7 expects CoAs to list tests, limits, and results; vague pass/fail reporting hides trends and errors .

6) Methods and compendial alignment

Check

• Test method references (internal, USP/EP/JP, or other)

• Any alternate methods clearly identified and approved

• Method versions align with what you have on file

Why it matters
Unapproved method changes can invalidate comparability—even if results appear acceptable.

7) Storage, packaging, and special handling statements

Check

• Storage conditions listed (if required)

• Packaging description (if relevant to stability)

• Any special transport or handling statements

Why it matters
For APIs, ICH Q7 expects appropriate control of storage and transport conditions; inconsistencies can signal stability risk .

8) Incoming testing and CoA reliance rules are met

Check

• Identity testing will be (or has been) performed per your SOP

• Supplier CoA reliance is current (supplier approved; periodic verification completed)

Why it matters
Under 21 CFR 211.84, you cannot fully rely on a CoA unless supplier reliability has been established and is maintained—and identity testing is still required . EU GMP has similar expectations for periodic full testing to confirm reliability .

9) Trend and anomaly check (even if “in spec”)

Check

• Assay vs prior lots

• Key impurities vs historical range

• Total impurities, water content, or other critical attributes

• Differences versus other approved suppliers (if applicable)

Why it matters
Out‑of‑trend (OOT) results often precede out‑of‑specification failures. A CoA review that ignores trends is a missed early‑warning system.

One‑page CoA acceptance checklist (use at receiving)

Material:
Supplier / Site:
Lot:
CoA #:
Date reviewed:
Reviewer:

• ☐ Supplier and site match approved list

• ☐ CoA authorized by Quality (signature present)

• ☐ Material ID and grade match PO and label

• ☐ Lot/batch numbers consistent across documents

• ☐ Dates acceptable (not expired / retest date valid)

• ☐ Correct specification and revision referenced

• ☐ All required tests present with limits and results

• ☐ Methods acceptable and approved

• ☐ Trend check performed (no unexplained shifts)

Disposition: Accept / Quarantine / Reject
If not accepted: Deviation / investigation #
Reviewer initials / date:

Trend assay and key impurities across lots and suppliers

A simple, sustainable approach:

• Attributes to trend (typical): assay, key specified impurities, total impurities, water content, residual solvents, particle size or polymorph (if relevant).

• How: basic run charts or control charts by supplier and by material.

• Triggers:

  • 3 consecutive lots trending in one direction

  • Step change vs historical mean

  • Systematic difference between suppliers

Key point: Trending is not re‑testing—it is using supplier data to manage risk proactively.

Train backups so CoA review doesn’t bottleneck deliveries

CoA review often becomes a single‑person dependency.

Practical controls:

• Written CoA review SOP with examples of acceptable vs unacceptable CoAs

• At least two trained reviewers per material category

• Defined escalation path for “gray‑area” CoAs

• Periodic calibration (review the same CoA as a group and compare conclusions)

Record decisions, owners, and due dates

Every CoA‑related exception should produce a clear record:

• What was wrong?

• Who decided disposition?

• What corrective action is required (supplier, internal, or both)?

• When will it be verified?

This aligns with quality risk management expectations to produce actionable, traceable decisions, not just risk ratings.

File supporting documents with the final record

A complete CoA acceptance record typically includes:

• Supplier CoA (controlled copy)

• Completed receiving checklist

• Identity test results

• Trend data (if reviewed as part of acceptance)

• Deviations/investigations and approvals

• Supplier communication (if clarification was required)

Schedule a follow‑up review to capture lessons learned

At least annually—or after a significant issue—review:

• CoA error rate by supplier

• Trends that triggered investigations

• Time lost to CoA clarification or rework

• Training gaps or SOP ambiguities

Update the checklist and training accordingly.

Closing thought

A CoA is not just paperwork—it is supplier‑generated process data. When you apply a disciplined, repeatable review, you turn receiving into an early‑warning system instead of a downstream firefight.

Checklist

• Use a one‑page CoA acceptance checklist at receiving.
• Trend assay and key impurities across lots and suppliers.
• Train backups so CoA review doesn’t bottleneck deliveries.
• Record decisions, owners, and due dates.
• File supporting documents with the final record.
• Schedule a follow‑up review to capture lessons learned.

Notes:

This checklist is for educational use only and does not replace your internal procedures.