Beyond the Certificate of Analysis: What Supplier Verification Really Asks of You


Walk into most receiving operations and supplier verification looks like a filing system. A lot arrives, a certificate of analysis arrives with it, the COA says the ingredient is within spec, and the document goes into the folder. Box checked. It feels like verification right up until a recall, an FDA inspection, or a customer complaint asks the harder question the folder was never built to answer: not “do we have the paperwork?” but “was the product actually safe?”

Those are not the same question. The space between them is where a surprising number of preventable failures live, and closing it is one of the highest-return moves a quality team can make.

What the rule actually asks for

It helps to start with what FSMA requires, because the regulation is more demanding and more sensible than “keep the COAs on file.”

The Preventive Controls for Human Food rule (21 CFR Part 117) turned supplier oversight from a procurement nicety into a defined food safety control. Under Subpart G, when a hazard in an ingredient is controlled before you receive it what the rule calls a “supply-chain-applied control” your facility has to run a risk-based supply-chain program that gives real assurance the hazard was significantly minimized or prevented.1

Holding paperwork does not satisfy that. The rule expects you to use approved suppliers, decide on and carry out verification activities suited to the hazard, and document what you did. The part many programs miss is that the regulation deliberately scales the verification to the risk. For a hazard with serious health consequences say, a pathogen like Salmonella in a ready-to-eat ingredient an onsite audit of the supplier is the default expectation, before you first approve them and annually after, unless you’ve written down a defensible reason to do something else.3 For lower-risk hazards, sampling and testing, a review of the supplier’s records, or another fitting activity may be enough.

Read that closely and the rule is already making this article’s argument for you: verification is a spectrum, and a certificate is one tool on it right for some hazards, badly undersized for others.

Why a certificate isn’t proof

A COA is, at bottom, an assertion. It says someone tested a sample of a lot, by some method, and got a result. That can be genuinely useful. Treated as proof of safety, though, it has three weak points worth being honest about.

It describes a sample, not your lot. For contaminants that don’t distribute evenly mycotoxins, heavy metals, pathogens in dry goods are the usual suspects the result is only as good as the sampling behind it. Aflatoxin is the textbook case: a few contaminated kernels can carry thousands of times the toxin of the material around them, so a clean number pulled from a careless grab sample tells you about the scoop, not the shipment. If you don’t know how the supplier sampled, you don’t really know what their number means.

It’s only as good as the lab and the method. A result with no validated method behind it, from a laboratory whose competence for that analyte and matrix you can’t establish, is hard to lean on when it matters. That’s the practical case for accredited testing: ISO/IEC 17025 accreditation means a lab has shown technical competence for specific tests, works to validated methods, and proves itself through proficiency testing. A COA from an unknown lab and a report from an accredited one aren’t the same instrument, even when the numbers happen to agree.

And documents can simply be wrong through honest error, a stale specification, or, in the well-documented world of economically motivated adulteration, deliberate falsification. Anyone who has watched the adulteration stories around spices, oils, and honey knows that a supplier’s paperwork and a supplier’s product are not always the same thing.

None of this makes COAs worthless. It means they belong inside a program that occasionally tests whether they’re telling the truth not standing in for one.

Building verification that fits the hazard

The programs that hold up treat verification as a portfolio matched to risk, not a single document repeated for everything. A few principles do most of the work.

Match the effort to the hazard. Put your most rigorous tools onsite audits, independent confirmatory testing against the hazards that could hurt someone, and lighter activities against lower-risk ingredients. That isn’t just sensible; it’s how Subpart G expects you to make approval and verification decisions in the first place.

Spot-check your suppliers’ COAs with your own testing. The goal isn’t to retest every lot of everything nobody requires that, and nobody could afford it. It’s to confirm, on a risk-based cadence, that the supplier’s documentation matches reality, using a lab whose competence for that analyte and matrix you can actually demonstrate. The day your independent result and the supplier’s COA disagree is the day the whole program earns its keep.

Treat sampling as seriously as the assay. For unevenly distributed contaminants, the sampling plan is the control. Specify how representative samples get drawn and ground, because no instrument, however sophisticated, rescues a bad sample.

Revisit suppliers on a schedule and whenever something changes. New ingredient, new origin, new supplier the hazard picture moves, and the paperwork lags. The supply-chain program, and for imported ingredients its sibling the Foreign Supplier Verification Program under 21 CFR Part 1, expects you to weigh supplier performance and reassess when new information about a hazard or a supplier turns up.

Write down the reasoning, not just the result. When you choose a verification activity other than the default for a serious hazard, the rule expects a documented justification.3 The artifact that protects you isn’t only the test report; it’s the recorded logic tying the hazard to the supplier to the activity you picked.

The shift worth making

The real change here is one of posture. A program built to collect documents answers “do we have the paperwork?” A program built to verify answers the question that actually keeps people safe: if this ingredient were out of spec right now, would we catch it before our customer did?

The distance between those two questions gets measured in recalls. FSMA’s supply-chain program sets a floor approved suppliers, risk-based verification, documentation. The manufacturers who turn that floor into genuine protection are the ones who treat a certificate of analysis as the start of verification, not the end of it, and who back their supplier programs with sampling and analytical competence equal to the hazards they’re trying to control.

Paperwork can promise safety. Only verification demonstrates it.

Related Articles

  • Nuts, tree nuts

    For food brands, processors, and exporters, aflatoxins represent a dual risk: severe public health consequences and strict regulatory enforcement. In 2024 alone, the EU rejected 127 shipments from Africa due to aflatoxin levels exceeding 2 ppb  for AFB1. For consultants…

  • USDA LogoUSDA Logo

    While the department’s food safety leadership likes to repeatedly emphasize that they use a science-based and data-driven approach to policy making, consumer advocates worry that these statements are meaningless if they don’t translate into policy initiatives that aim to prevent…

  • FDA LogoFDA Logo

    On June 15, 2026 The FDA held a public meeting to give the public an opportunity to share information on continued implementation of the Food Traceability Rule and areas of remaining concern, specifically as they relate to lot-level tracking and flexibilities for compliance

  • Workers production lineWorkers production line

    Growth, continuous improvement, and increased throughput should never come at the expense of robust food safety practices. Instead, food safety programs must evolve alongside manufacturing operations to ensure both objectives advance together. The challenge arises when operational excellence begins to…

  • Farming, sustainabilityFarming, sustainability

    On the same day the SCOTUS sided with the Trump administration and the maker of the weedkiller Roundup, Trump issued an executive order aimed at reducing pesticides in the food supply and studying the health risks they pose but with…

  • FDA LogoFDA Logo

    The discussion paper includes information and questions to help inform FDA’s engagements with stakeholders, including the upcoming virtual FDA-led public meeting on June 15th.