Key takeaways
- A Certificate of Analysis is a testable release document, not a marketing leaflet. A legitimate COA ties a named product and lot to numeric results, a stated method, an acceptance limit and a pass/fail verdict — anything less is a data sheet dressed up as evidence.
- "Pass" and "conforms" are not results. If a parameter has no number, no method and no limit, you cannot verify it, trend it or defend it in a dispute. Numbers with units are the minimum currency of a COA.
- Lot linkage is the field most fraud ignores. A COA that does not match the lot code on your carton, invoice and packing list proves nothing about the material actually in your warehouse, however clean the figures look.
- Accreditation belongs to the laboratory, not the trader. ISO/IEC 17025 is a laboratory competence accreditation with a defined scope; a supplier who holds ISO 22000, ISO 9001 or ISO 27001 has quality and food-safety systems, but those are not analytical accreditations for any single result.
- A third-party accredited report beats a self-declaration every time. A supplier can honestly state a value, but an accredited lab report — traceable to a scope you can check against the ILAC network — is independent evidence rather than a claim.
Introduction
The Certificate of Analysis is the single most over-trusted document in natural-ingredient sourcing. Buyers of dried fruit, botanicals, herbs and essential oils treat the COA as proof that a lot is safe and on-specification, yet many of the documents that arrive with a shipment would not survive ten minutes of scrutiny. Some are honest but incomplete; some are generic templates that describe a product type rather than a batch; and a minority are deliberately fabricated, back-filled or copied from a cleaner lot. For a QA or regulatory reviewer, the danger is the same in every case: a document that looks authoritative but cannot actually be verified.
This guide is written for procurement, QA and regulatory teams buying Turkish natural products for the EU and Ukraine. It sets out what a legitimate COA must contain, the specific red flags that separate a real accredited result from a self-declaration dressed up as one, and the concrete steps that let you validate a document before it becomes your release evidence. The principles are deliberately framed as principles, because acceptance limits and applicable methods change by matrix and end use — the discipline of demanding the right fields does not. For adjacent controls, read the Arovela guides on reading a botanical COA, heavy metals in botanicals and dried fruit, microbial limits for botanicals and dried herbs and reading a GC-MS report for essential oils.
What a legitimate COA must contain
Before you can spot a red flag, you need the baseline. A defensible COA is a table of results wrapped in identity and traceability metadata, issued or transcribed from an analysis of the specific lot in front of you. Industry and regulatory guidance converge on a consistent set of fields: identity, batch linkage, the method behind each number, the number itself with its detection sensitivity, the limit it is judged against, and a signed release decision. Each field exists to answer a specific question a reviewer will ask.
| COA field | What it must state | Why it matters | Question it answers |
|---|---|---|---|
| Product identity | Full product name, plant part or fruit form, grade | Confirms the material tested is the material ordered | "Is this the right ingredient and grade?" |
| Lot / batch number | Unique code matching carton, invoice and packing list | Links the paper to the physical goods | "Was this lot tested, or some other lot?" |
| Sampling date | Date the sample was drawn from the lot | Anchors the result to the production timeline | "When was this material actually sampled?" |
| Test method + reference | Named method, ideally compendial (Ph. Eur., USP, AOAC, ISO, EPA) or a validated in-house method | Makes the result reproducible and comparable | "How was this measured, and can it be repeated?" |
| LOQ / LOD | Limit of quantitation and, where relevant, limit of detection with units | Defines the smallest value the method can trust | "Below what value does 'not detected' mean nothing?" |
| Numeric result | The measured value with units (e.g. 0.18 mg/kg) | The actual evidence, not an interpretation | "What did the instrument read?" |
| Specification limit | The acceptance limit or range the result is judged against | Turns a number into a pass/fail | "What was the result compared to?" |
| Pass / fail verdict | An explicit conformance decision per parameter | States the release conclusion, not just data | "Did this parameter pass?" |
| Accredited lab + scope | Laboratory name, address and accreditation (ISO/IEC 17025) with scope reference | Establishes technical competence and independence | "Who tested it, and are they accredited for this test?" |
| Signature + date | Authorised QC signatory and issue date | Assigns accountability for the document | "Who stands behind this, and when?" |
If a document carries all ten fields, you can trend it, audit it and defend it. When a field is missing, it is missing for a reason — sometimes innocent, sometimes not — and the reviewer's job is to find out which.
The specification limit is half the story
A number on its own is not a pass. "Lead 0.18 mg/kg" tells you nothing about compliance until you see the limit it was judged against and the pass/fail conclusion that follows. A strong COA prints the specification alongside the result so the verdict is self-evident; a weak one prints a result and expects you to look up the limit yourself, or prints "pass" and expects you to trust that a limit exists. The heavy-metals guide and microbial-limits guide both make the same point from the other direction: the limit depends on matrix and end use, so it must be stated on the document, not assumed.
The red flags, and what each one hides
Most weak COAs fail in predictable ways. The table below is a working checklist; the sections that follow explain the reasoning, because a red flag is a prompt to investigate, not always an automatic rejection.
| Red flag on the COA | What it usually hides | Reviewer action |
|---|---|---|
| "Pass" / "conforms" with no numeric value | A data sheet, not a batch result; possibly no test at all | Request the numeric result and the limit it was judged against |
| Result stated, but no specification limit | You cannot judge conformance; the "pass" is unfalsifiable | Ask for the acceptance limit and the framework it comes from |
| No test method or no LOQ/LOD | Result is not reproducible; "not detected" is meaningless | Ask for the method reference and the LOQ in the same units |
| No lot linkage to invoice / packing list | The paper may describe a different lot than shipped | Match the lot code across COA, carton, invoice, packing list |
| Generic, un-dated template | Describes a product type, not a produced batch | Require sampling date, lot number and a fresh issue date |
| Identical results copied across lots | No natural variation — physically implausible for naturals | Compare several lots; flag zero variation as fabrication |
| Back-dated or future-dated results | Timeline does not fit production or sampling reality | Cross-check sampling and issue dates against the lot history |
| Results sitting exactly on the limit | Statistically unlikely across many parameters at once | Request the raw report; look for figure-fitting |
| Transcription with no original lab report | Numbers may be re-typed, rounded or altered | Ask for the accredited lab's original PDF, not a re-keyed table |
| Results better than the method LOQ | Reporting precision the method cannot deliver | Question a value below the stated limit of quantitation |
| "Independent lab" with no name or accreditation | No way to verify competence or scope | Require the lab name and check its accreditation scope |
"Pass" or "conforms" with no number
This is the most common and most revealing red flag. A parameter reported only as "pass," "conforms," "complies" or "typical" is not a measurement — it is an assertion. Guidance on reading certificates is consistent on this point: a COA that lists "typical" or "conforms" without batch-specific numbers is effectively a technical data sheet, not a certificate of analysis. Numbers can be trended across deliveries; assertions cannot. Numbers can be defended in a claim; assertions collapse. Insist on the value and its units for every measurable parameter, and treat "conforms" as a placeholder to be filled, not an answer.
A result with no limit, or a limit with no method
Two half-COAs cause as much trouble as a blank one. A result with no specification limit gives you a number you cannot judge. A limit with no method gives you a target with no way to reproduce the measurement. The method reference matters because "arsenic" measured by a validated ICP-MS procedure with a stated digestion step is a different quality of evidence than "arsenic" from an unstated screen. Where a compendial method exists — European Pharmacopoeia, USP, AOAC, an ISO method, an EPA method — a serious lab cites it. An in-house method is acceptable if it is named and validated, but "arsenic: pass" with neither method nor limit is not.
Missing LOQ, and results better than the LOQ
The limit of quantitation is the lowest concentration a method can measure with acceptable reliability; the limit of detection is the lowest it can distinguish from noise. Without a stated LOQ, "not detected" is uninterpretable — not detected below what? A related and subtler red flag is a numeric result reported below the method's own LOQ: if the LOQ is 0.05 mg/kg, a confidently reported "0.012 mg/kg" claims a precision the method cannot deliver. Either the LOQ is wrong or the number is invented. Ask which.
Broken lot linkage
A COA that cannot be tied to the lot code on your carton, invoice and packing list proves nothing about the material in your warehouse. Lot linkage is the field that fraud most often ignores, because copying a clean historical result is easy while re-testing the actual shipped lot is not. This is also where honest disorganisation and deliberate substitution look identical on paper, so the control is the same for both: one composite sample, one lot code, one release file, matched across every document. The EU lot-traceability guide sets out how that chain should read end to end.
Generic templates, copy-paste results and impossible consistency
Natural products vary. Crop year, origin, harvest conditions and drying all move the numbers, so a run of lots that report byte-identical results — the same moisture, the same trace-metal figures, the same microbial counts to the digit — is physically implausible for an agricultural material. Reviewers in other sectors flag the same pattern: identical chromatograms or identical purity values across genuinely different batches are a known fabrication signature. A single clean COA can be real; five consecutive lots with zero variation cannot. Ask for several recent lots at once precisely so this pattern becomes visible.
Dates that do not fit, and figures that fit too well
Two timing red flags recur. Back-dated or future-dated results — a sampling date before the lot existed, or an issue date that predates the sampling — signal a document assembled to fit a shipment rather than a test performed on it. And results that sit exactly on the specification limit across many parameters are statistically improbable: real measurements scatter around a value, they do not all land precisely on the maximum. One parameter at the limit is normal; every parameter at the limit is figure-fitting. Neither pattern is proof of fraud on its own, but both are strong prompts to demand the raw report.
Transcription instead of the original report
Many COAs that reach a buyer are supplier-generated summaries that re-type results from an underlying laboratory report. Transcription is not automatically dishonest, but it is where rounding, selective omission and outright alteration happen, because the buyer never sees the source. The defence is simple: for any result that matters, ask for the accredited laboratory's original signed report — the PDF the lab issued — not a re-keyed table on the supplier's letterhead. If the supplier cannot or will not produce it, treat the transcribed figures as unverified.
Accreditation: whose competence is on the document
Accreditation is the field buyers most often misread, so it deserves a section of its own. The relevant standard is ISO/IEC 17025:2017, General requirements for the competence of testing and calibration laboratories — the current edition, which replaced the 2005 version. It is the international benchmark by which a laboratory demonstrates technical competence, method validation, measurement traceability and impartiality. Three points matter for a buyer.
First, ISO/IEC 17025 accredits a laboratory, not a trader or a producer. A supplier who says it "has ISO 17025" has almost always confused a lab accreditation with a management-system certification. A supplier legitimately holds food-safety and quality certifications — Arovela, for example, operates under ISO 22000, ISO 9001 and ISO 27001 — but those govern how the business is run, not the analytical validity of a specific test. The 17025 competence belongs to whichever accredited lab actually performed the analysis, whether that is an external contract lab or a supplier's own laboratory operating under its own separate 17025 scope.
Second, accreditation has a scope. A laboratory is not "accredited" in the abstract; it is accredited for specific tests, on specific matrices, by specific methods. A lab with a valid 17025 certificate for pesticide residues is not thereby competent-on-paper for heavy metals unless heavy metals appear in its scope. When a COA cites accreditation, the reviewer should confirm the test in question falls inside that scope, not merely that the lab holds a certificate for something.
Third, accreditation is checkable. Under the ILAC Mutual Recognition Arrangement, national accreditation bodies are peer-evaluated to ISO/IEC 17011, and each publishes or will confirm the scope of the labs it accredits. If a COA names "an independent laboratory" without naming it, there is nothing to check. A verifiable COA names the lab, states its accreditation body and certificate number, and lets you confirm the scope directly.
Self-declaration versus a third-party accredited result
The deepest distinction on a COA is not cosmetic — it is whose word the document represents. A supplier self-declaration is the supplier stating a value it believes to be true. It may be perfectly honest, and for stable, low-risk parameters it can be commercially sufficient. But it is a claim: the party with a commercial interest in the lot passing is also the party attesting that it passed. A third-party accredited result is different in kind. It is an independent laboratory, accredited under a scope you can verify, reporting a number it is professionally and contractually accountable for. The independence is the value.
The practical rule is proportionate. For a first order, a new origin, a new crop year, a concentrated extract or any legally bounded contaminant — heavy metals, mycotoxins, pesticide residues, microbial pathogens — require the third-party accredited report, ideally the lab's original document. For routine parameters on a stable, well-characterised supply history, a supplier self-declaration backed by an auditable process and retained samples may be acceptable, with periodic independent verification to keep it honest. What a buyer should never do is treat a self-declaration as if it were an accredited result, or accept "tested by an accredited lab" as a substitute for naming the lab and its scope.
How to validate a COA before you rely on it
Validation is a short, repeatable routine, not a research project. Five steps catch the overwhelming majority of weak and fabricated documents.
- Ask for the raw accredited lab report. For any result that carries regulatory or safety weight, request the accredited laboratory's original signed report rather than a supplier transcription. Compare the numbers; a mismatch is decisive.
- Verify the accreditation and its scope. Confirm the lab holds a current ISO/IEC 17025 accreditation, and that the specific test and matrix fall inside its scope — via the accreditation body or the ILAC network, not the supplier's say-so.
- Match the lot across every document. Reconcile the lot code on the COA against the carton label, invoice and packing list. If they do not agree, the COA is not evidence for this shipment.
- Request per-lot testing, and compare lots. Require testing on the lot as shipped, not a "typical" or historical result, and ask for several recent lots together so copy-paste consistency and figure-fitting become visible.
- Use retained samples as the tiebreaker. Keep a retained, sealed sample of the approved reference and of received lots so an independent re-test can settle a dispute with evidence instead of opinion.
Building this into the RFQ removes the argument later. Language such as "Supplier shall provide, per lot as shipped, numeric results with method, LOQ, specification limit and pass/fail for each specified parameter, issued or supported by an ISO/IEC 17025-accredited laboratory whose scope covers the test; the accredited laboratory's original report shall be provided on request; results shall be traceable to the lot code on the invoice and packing list" turns every red flag above into a contractual gate. For the wider sourcing controls this sits inside, see the Arovela COA reading guide and quality testing of botanical ingredients.
Frequently asked questions
Is a COA that only says "pass" ever acceptable?
Rarely, and never for a parameter that carries safety or legal weight. A bare "pass" is an assertion, not a measurement: it cannot be trended across deliveries or defended in a dispute, and it may conceal that no test was performed on the lot at all. For low-risk, well-characterised parameters on a stable supply history it can be commercially tolerable, but the reviewer should still be able to obtain the underlying numeric result and the limit on request. Treat "pass," "conforms" and "typical" as placeholders to be filled with a number and a limit, not as answers.
How do I check whether a laboratory is genuinely accredited?
Do not rely on a logo or a certificate number printed on the COA. ISO/IEC 17025 accreditation is issued by a national accreditation body that is itself peer-evaluated under the ILAC Mutual Recognition Arrangement, and that body can confirm both the certificate's validity and the laboratory's scope. Confirm three things: that the accreditation is current, that the specific test and matrix appear inside the scope, and that the lab named on the COA is the lab that actually did the work. An unnamed "independent lab" cannot be checked and should be treated as unverified.
What is the difference between a supplier self-declaration and a third-party result?
A self-declaration is the supplier reporting a value it believes to be correct; the party that benefits from the lot passing is also the party attesting that it did. A third-party accredited result is an independent laboratory, accredited under a verifiable scope, reporting a value it is accountable for. Both can be honest, but only the second is independent evidence. For first orders, new origins, concentrated extracts and legally bounded contaminants, require the third-party accredited report; for routine parameters on a proven supply, a self-declaration with retained samples and periodic verification may suffice.
Why are identical results across several lots a problem?
Because natural products vary. Crop year, origin, harvest and drying all move moisture, trace metals and microbial counts, so genuinely different lots should show at least small differences. A run of lots reporting byte-identical figures is physically implausible and is a recognised fabrication signature — someone has copied one clean result across several batches. Requesting several recent lots at once is the simplest way to expose this: one clean COA can be real, but zero variation across many lots cannot.
Turn your COA review into a defensible control
If your team is buying dried fruit, botanicals, herbs or essential oils from Turkey for the EU or Ukraine, the fastest way to raise document quality is to specify the COA fields in the RFQ and validate them before release — numeric results, method, LOQ, limit, lot linkage and an ISO/IEC 17025-accredited laboratory whose scope you can check. Arovela supports lot-specific documentation, COA review and export planning within its ISO 22000, ISO 9001 and ISO 27001 systems, without claiming laboratory accreditations or certifications it does not hold. Start with a technical quote request, compare wholesale supply options, or review Arovela certifications before you finalise your COA requirements.

