Key Takeaways
Supplier COAs are a required verification input under CFIA’s Safe Food for Canadians Regulations (SFCR), but filing them without structured review creates audit exposure and genuine food safety risk.
A defensible PCP microbiology verification program treats COAs as active risk management data, not administrative paperwork, requiring documented acceptance criteria, method equivalency checks, and lot-specific traceability.
CFIA defines COA review as a formal assessment activity; inspectors expect to see your criteria, your review process, and your escalation decisions, not just the documents themselves.
Most plants have hidden gaps in how they integrate supplier data: inconsistent acceptance criteria, unverified lab accreditation, and no confirmatory testing triggers, all of which surface under audit pressure or during contamination investigations.
The framework covered in this article (Assess, Establish, Review, Verify, Document) gives QA and food safety teams a structured approach to building supplier COA integration that holds up under CFIA, GFSI, and customer scrutiny.
Executive Summary
Most food manufacturers collect supplier certificates of analysis as a matter of routine. They arrive with shipments, get logged, and move into a filing system. What happens next, or more accurately what often does not happen next, is where significant regulatory and food safety risk accumulates.
Under Canada’s Safe Food for Canadians Regulations (SFCR), the review of a supplier’s certificate of analysis is not a passive administrative step. The CFIA defines it explicitly as a formal assessment or examination of supplier-provided documentation showing microbiological and chemical analysis results, conducted to confirm that incoming materials comply with the standards established in your Preventive Control Plan. That distinction between filing a document and formally assessing it carries real weight during an inspection.
Cremco Labs works with mid-sized Canadian food manufacturers navigating exactly this challenge: building supplier verification programs that satisfy CFIA’s expectations while remaining operationally practical. The science behind COA interpretation, method equivalency, and confirmatory testing is where the gap between compliant on paper and genuinely defensible programs becomes visible.
When a CFIA inspector reviews your PCP, they are not simply checking whether COAs exist in a binder. They are looking for evidence that your organization has established clear acceptance criteria for incoming materials, applies those criteria consistently at the point of receipt or review, and makes documented decisions based on the results. The verification activity must be described in your PCP, carried out as written, and supported by records that demonstrate it happened for each applicable shipment or lot.
Why Supplier COAs Matter in Your PCP Verification Program
This is a higher bar than many plants currently meet. Facilities operating under GFSI-benchmarked schemes (SQF, BRC, FSSC 22000) face parallel requirements, and the alignment between those standards and SFCR expectations means that gaps in COA integration tend to surface simultaneously across regulatory and customer audits. The cost of discovering those gaps during an audit is substantially higher than the cost of building the system correctly in advance.
Beyond the audit risk, there is a more immediate operational concern. Incoming materials, whether raw agricultural commodities, processed ingredients, or packaging with direct food contact, represent a category of hazard that your PCP is designed to control. If your only mechanism for verifying that an ingredient meets your microbiological standards is a COA you have not formally evaluated, you are operating without a functioning control at that point in your supply chain.
The downstream consequences range from a contaminated lot entering your process undetected, to a recall driven by a pathogen that should have been flagged at receiving, to a CFIA-initiated investigation in which your records show no documented basis for the release decision. None of these outcomes is hypothetical; they appear consistently in CFIA inspection findings and recall notices tied to incoming ingredient failures.
It is equally important to be clear about what a COA is not. A certificate of analysis, even one from an ISO 17025-accredited laboratory using recognized reference methods, is a point in time snapshot of a tested sample from a specific lot. It does not guarantee the microbiological status of every unit in that shipment. It does not substitute for a validated kill step where one is required. And it does not replace the broader supplier approval and monitoring program that your PCP should describe.
COA review is one input into a larger supplier assurance architecture that includes supplier qualification, periodic audits or assessments, risk-based confirmatory testing, and trend analysis over time. Understanding where COA verification fits, and where it reaches its limits, is essential for designing a program that is both scientifically sound and audit defensible.
The Hidden Gaps in How Most Plants Use Supplier COAs
The gap between how most plants handle COAs and what a defensible verification program requires is rarely dramatic. It tends to be structural: the right documents are being collected, but the systems for evaluating and acting on them are underdeveloped. These gaps are predictable, and they follow consistent patterns.
Treating COAs as Compliance Paperwork Rather Than Risk Management Tools
The most common failure mode is organizational rather than technical. When COA management sits primarily with a receiving clerk or purchasing coordinator, the document becomes a checkbox rather than a decision point. Someone confirms the COA arrived, attaches it to the receiving record, and releases the material. Whether the reported results actually meet your PCP’s microbiological criteria, or whether the testing was even conducted using an appropriate method, is often never formally evaluated.
This is not a criticism of receiving or purchasing teams. It reflects a system design problem: COA review has not been defined as a QA function with explicit criteria, training, and escalation authority. When QA does not own the evaluation step, the assessment described in CFIA’s definition of COA review does not occur in any meaningful sense.
Common Failure Patterns
Three specific failure patterns account for the majority of COA-related gaps identified during CFIA inspections and third-party audits:
Filing without structured review: COAs are retained as records but are not evaluated against documented acceptance criteria. There is no recorded decision, no evidence of who reviewed the document, and no escalation path when results are borderline or missing.
Non-equivalent or unverified test methods: Supplier labs use rapid methods, alternative platforms, or in-house procedures that have not been validated against Health Canada MFHPB methods, AOAC-approved methods, or ISO reference standards. The result may be technically accurate or it may not be, and without method verification, you cannot know.
Missing lot-specific coverage: Suppliers provide composite or batch-level COAs that do not reflect the specific lot delivered. Or testing is conducted on a subset of parameters, leaving pathogens relevant to your hazard analysis absent from the documentation entirely.
Why These Gaps Create Problems During CFIA Audits and Contamination Investigations
During a routine CFIA inspection, an inspector reviewing your incoming goods verification records will look for evidence that your review process was actually applied. If your records show COAs on file but no documented evaluation against acceptance criteria, the gap is immediately apparent. The follow-up question (“how do you know this material met your PCP requirements at the time of receipt?”) becomes very difficult to answer convincingly.
During a contamination investigation or recall, the stakes are considerably higher. Investigators will reconstruct the decision chain that allowed a contaminated lot into your process. If that chain includes a COA that was filed but not formally reviewed, or a supplier lab whose accreditation you cannot verify, or a testing scope that excluded the pathogen of concern, those findings become part of the regulatory record. They can inform enforcement decisions, affect your corrective action obligations, and, in cases involving customer or retailer notification, become part of a very expensive public conversation about your food safety program.
What an Audit-Ready Supplier Verification System Looks Like
A supplier verification system that holds up under CFIA review is characterized less by complexity than by clarity. The criteria are documented. The review process is assigned. The records demonstrate consistent application. And the escalation path, what happens when something does not meet specification, is defined before the problem arrives at your dock.
Integrated Supplier Approval, Ongoing COA Review, and Risk-Based Confirmatory Testing
Supplier verification does not begin at receiving. It begins during supplier qualification, where you establish whether a supplier’s food safety program, laboratory capabilities, and microbiological controls are adequate for the ingredient category and associated hazard profile. COA review is a continuation of that assessment, not a standalone activity, but a recurring data point within an ongoing evaluation of supplier performance.
Risk-based confirmatory testing is the mechanism that prevents COA review from becoming entirely dependent on trusting supplier-provided data. For high-risk ingredients (those associated with pathogens that could survive your process or reach consumers without a validated kill step), periodic independent testing by an accredited third-party laboratory provides an external check on what the supplier is reporting. The frequency, scope, and trigger criteria for that testing should be documented in your PCP and updated based on supplier history, ingredient risk category, and any changes in your supply chain.
Cross-Functional Coordination Between Purchasing, QA, and Lab Partners
One practical challenge in building an integrated supplier verification system is that the relevant information and authority are often distributed across departments that do not communicate systematically. Purchasing manages supplier relationships and receives COAs. QA owns the PCP and verification activities. A third-party lab provides testing data that may or may not be connected to either function in a structured way.
Closing that coordination gap requires explicit process design: who receives the COA, who conducts the formal evaluation, what criteria are applied, what the escalation path looks like, and how confirmatory testing results are linked back to the COA record and the lot disposition decision. When that process is mapped and documented, it becomes auditable. When it is informal and undocumented, it is effectively invisible to an inspector, regardless of how diligent the individuals involved may be.
Decision Rules Linking COA Acceptance to Material Release and Escalation Protocols
Every COA review should conclude with a documented decision: accept, hold, or reject. The criteria driving that decision should be pre-established in your PCP or supporting procedures, not determined on the fly by whoever happens to be reviewing the document that day. Decision rules should specify the acceptable microbiological limits for each parameter, the required testing scope by ingredient category, the accreditation requirements for the supplier’s laboratory, and the conditions under which confirmatory testing is triggered before release.
Escalation protocols define what happens when results are outside specification, when a COA is absent or incomplete, or when a supplier’s lab accreditation cannot be verified. Those protocols should identify who has authority to place a hold, who makes the final release or rejection decision, and what documentation is required to support that decision. Without pre-defined escalation paths, hold decisions become inconsistent and are frequently made under commercial pressure rather than food safety criteria.
A Framework for Incorporating COAs into PCP Verification
Assess: Map Incoming Materials to PCP Hazards
The starting point for incorporating COAs into your PCP verification program is a systematic mapping exercise: for each incoming ingredient, packaging material, or processing aid, identify the microbiological hazards your hazard analysis has associated with that material and the control measures your PCP relies on to address them. This mapping determines what microbiological parameters a supplier COA must cover to be meaningful as a verification input for that specific material in your specific process context.
Not all incoming materials carry the same hazard weight. A raw agricultural commodity entering upstream of a validated thermal kill step presents a different verification challenge than a ready-to-eat ingredient added post-lethality. Your COA requirements should reflect that distinction explicitly. For materials where incoming microbiological status directly affects finished product safety (because no subsequent step will reduce the hazard to an acceptable level), the expectations placed on supplier testing scope, method rigor, and lot-specific coverage need to be proportionally more stringent.
Establish: Define COA Acceptance Criteria
Once your hazard mapping is complete, translate it into documented acceptance criteria for each ingredient category. These criteria should specify the microbiological parameters required on the COA, the acceptable limits for each parameter, the minimum testing frequency the supplier must apply, the accreditation standard the supplier’s laboratory must hold, and the reference methods against which results must be generated. These are not aspirational targets; they are the documented basis for every release decision your team makes.
Acceptance criteria should be incorporated into your supplier agreements and your internal receiving procedures simultaneously. When criteria exist only in one location (a supplier contract that QA has never seen, or an internal procedure that purchasing was never trained on), the result is inconsistent application and a verification system that is defensible on paper but not in practice. The goal is alignment: supplier understands the requirement, your receiving team applies the criterion, and your records show the evaluation occurred.
Review: Apply Structured COA Evaluation Every Shipment
Structured COA review means applying your documented acceptance criteria to each COA as a formal evaluation step, not a cursory check. In practice, this looks like a trained QA reviewer confirming that the COA covers the required parameters, that reported results fall within acceptance limits, that the lot number on the COA matches the shipment being received, that the testing date is consistent with the shipment timeline, and that the issuing laboratory holds the required accreditation for the methods used. Each of these checkpoints should be recorded, not simply performed mentally and assumed to be sufficient.
Many facilities find value in a structured COA review form or checklist that documents each evaluation point and captures the reviewer’s identity, the date of review, and the disposition decision. This is not bureaucratic overhead; it is the evidence base that demonstrates your verification activity occurred as described in your PCP. A CFIA inspector who asks to see records of your incoming goods verification should be able to trace a specific lot through the COA, the review record, and the release or hold decision without reconstructing a narrative from disconnected documents.
Verify: Determine When Independent Testing Is Required
COA review alone is not always sufficient verification, and your PCP should define the conditions under which independent confirmatory testing by an accredited third-party laboratory is required before material release. Triggers for confirmatory testing typically include: new suppliers or new ingredient sources from existing suppliers; any COA showing results near specification limits; ingredients associated with pathogens of high consequence in your product category; situations where supplier lab accreditation cannot be confirmed; and periodic scheduled verification intervals established based on ingredient risk category and supplier performance history. The frequency and scope of that testing should be documented, applied consistently, and updated as your supplier risk picture evolves.
Document: Build Traceable Records for CFIA Inspection
Documentation requirements for COA-based verification extend beyond retaining the COA itself. A complete record set for each lot should include the original COA, your internal review record showing the criteria applied and the evaluation outcome, any confirmatory testing results and their linkage to the lot in question, and the final disposition decision with the identity of the person who made it. For lots that were held or rejected, the corrective action record should also be part of the file.
Traceability is the practical test of your documentation system. If a CFIA investigator or your own internal team needs to reconstruct the incoming verification history for a specific ingredient lot (because it appeared in a product now under investigation), your records should make that reconstruction straightforward. If it requires interviewing staff to fill in undocumented steps, your documentation system is not functioning as a verification record. It is functioning as an archive of documents that happened to be collected, which is a meaningfully different thing.
COA Acceptance Requirements That Satisfy CFIA and GFSI Auditors
Understanding what makes a COA technically acceptable is a prerequisite for defining your acceptance criteria in any meaningful way. Not all certificates of analysis are equivalent, and the differences that matter most (laboratory accreditation scope, method selection, sampling plan design) are not always obvious from the document itself. Building acceptance criteria without understanding these variables produces criteria that look complete on paper but may not provide the scientific assurance they appear to.
CFIA inspectors and GFSI auditors approach COA review requirements from the same fundamental position: the certificate must represent testing that was conducted by a competent laboratory, using appropriate methods, on a sample that is representative of the lot in question. Each of those three conditions can be evaluated, and your acceptance criteria should address each one explicitly.
Lab Accreditation and Method Standards
The laboratory that issued a supplier COA should hold ISO/IEC 17025 accreditation for the specific tests reported and the relevant food matrices. ISO/IEC 17025 is the international standard for testing and calibration laboratory competence, and accreditation to this standard by a recognized accreditation body (such as the Standards Council of Canada or an equivalent ILAC-member body) provides independent confirmation that the laboratory’s methods, equipment, personnel, and quality system have been assessed against defined technical criteria.
The important nuance here is scope. A laboratory may hold ISO/IEC 17025 accreditation without that accreditation covering the specific pathogen, indicator organism, or food matrix relevant to your ingredient. When you specify that supplier COAs must come from an ISO 17025-accredited laboratory, that requirement should include confirmation that the accreditation scope covers the tests being reported. A certificate of accreditation with a scope that does not include Listeria monocytogenes detection in a dairy matrix, for example, does not provide the same assurance as one that does, even if the lab holds accreditation for other tests.
For Canadian food manufacturers, there is also a practical question of whether international supplier labs hold accreditation recognized under frameworks that CFIA considers credible. Laboratories accredited by ILAC-member bodies are generally recognized within this context, but verifying the specific accreditation status and scope of an international supplier’s laboratory may require direct communication with the supplier and, in some cases, independent verification through the accreditation body’s public registry.
Health Canada (MFHPB), AOAC, or ISO Method Alignment
The reference methods recognized by Health Canada (published through the Health Protection Branch methods), along with AOAC International-approved methods and ISO food microbiology standards, represent the method framework most directly aligned with Canadian regulatory expectations. When a supplier COA reports results generated using these reference methods, the scientific basis for the result is well-established and directly comparable to the methods your own confirmatory testing program or third-party verification lab would use. Method alignment is what makes COA data genuinely interpretable as a verification input rather than simply a number on a page.
What to Do When a Supplier Uses Rapid or Alternative Methods
Rapid microbiological methods (PCR-based detection platforms, lateral flow immunoassays, automated impedance systems) are widely used in food industry laboratories and, when properly validated, can provide results equivalent to reference culture methods in significantly less time. The critical question for COA acceptance purposes is whether the rapid method used by the supplier’s laboratory has been validated for equivalency to the applicable reference method for the specific organism and matrix in question, and whether that validation is documented and available for your review.
AOAC Performance Tested Methods and AOAC Official Methods of Analysis provide a recognized framework for this validation, and a supplier whose laboratory uses rapid methods should be able to provide method validation documentation on request. If that documentation is unavailable or the method has not been formally validated against a recognized reference, your acceptance criteria should require that confirmatory testing using a reference method be conducted before material release for high-risk ingredients.
Sampling Plans and Statistical Confidence
A COA can only represent what was actually tested, and the statistical confidence that result provides depends entirely on how the sample was collected and how many analytical units were tested. A single composite sample from a large lot provides very different statistical coverage than an ICMSF-based sampling plan designed for a specific hazard category and lot size. For pathogens like Listeria monocytogenes in ready-to-eat ingredients, where even low-level contamination at a low prevalence can represent significant risk, the sampling plan behind the COA result is a critical element of its evidentiary value.
When establishing acceptance criteria for high-risk ingredients, consider specifying minimum sampling plan requirements (including the number of analytical units, the sampling method, and the compositing approach) in your supplier agreements. This is standard practice under GFSI-benchmarked programs and aligns with the risk-stratified sampling approach described in ICMSF guidance. A COA reporting “not detected” based on a single 25g analytical unit from a 20,000 kg lot provides substantially less assurance than one based on a multi-unit plan designed to detect contamination at a defined prevalence with defined statistical confidence. Your acceptance criteria should reflect that distinction where ingredient risk warrants it.
Scenarios: How Different Plants Integrate COAs into PCP Verification
The following anonymized scenarios illustrate how different manufacturing contexts shape the practical design of COA integration within PCP verification programs. They are presented as representative examples of common operational trade-offs, not as prescriptive templates. Each facility’s approach should reflect its specific hazard analysis, product risk profile, supplier landscape, and internal capability.
Scenario 1: Mid-Sized RTE Manufacturer with High-Risk Ingredients
A mid-sized ready-to-eat deli meat manufacturer sources several post-lethality ingredients (seasonings, functional blends, natural flavours) from multiple domestic and international suppliers. Because these ingredients are added after the primary thermal kill step and reach consumers without further cooking, even low-level pathogen contamination in an incoming ingredient represents a direct finished product safety risk.
This facility implemented a tiered COA acceptance program that classifies each post-lethality ingredient by hazard level and assigns mandatory testing scope, accreditation requirements, and confirmatory testing frequency accordingly. High-risk ingredients require ISO 17025-accredited pathogen testing using AOAC or ISO reference methods, lot-specific COAs matched to each delivery, and quarterly confirmatory testing by an independent accredited laboratory regardless of supplier COA results.
Supplier performance data from COA trending and confirmatory testing results is reviewed quarterly by QA and used to adjust the confirmatory testing schedule, reducing frequency for consistently performing suppliers and increasing it when borderline results or method inconsistencies are identified.
Scenario 2: Multi-Site Processor Standardizing Supplier Requirements
A multi-site food processor operating three plants under a shared corporate PCP framework encountered a recurring audit finding: COA acceptance criteria and review practices varied significantly between facilities, even for the same ingredients sourced from the same suppliers. One plant required ISO 17025 accreditation and conducted structured COA reviews with documented decisions; another filed COAs without formal evaluation and had no confirmatory testing program.
The corporate QA team developed a standardized supplier qualification and COA review procedure that applied across all sites, with centrally maintained supplier accreditation files, standardized review forms, and a shared database linking COA results to lot numbers and finished product batches.
Implementation required cross-functional engagement that went beyond QA. Purchasing needed to incorporate COA requirements into supplier agreements and communicate accreditation expectations during supplier onboarding. Plant managers needed to allocate time and authority for the COA review step within receiving workflows. The corporate food safety team worked with an external accredited laboratory partner to design the confirmatory testing schedule and establish method equivalency documentation for suppliers using rapid methods.
The result was a verification program that could be demonstrated consistently across sites during GFSI audits and CFIA inspections, which, for a multi-site operation subject to inspections at any facility, represents a significant reduction in audit risk exposure compared to the previous fragmented approach.
Scenario 3: Co-Packer Navigating Brand Owner vs. CFIA Expectations
A co-manufacturing facility producing private-label shelf-stable products for three separate brand owners faced a situation common in contract manufacturing: each brand owner had different COA requirements written into their supplier agreements, and none of those requirements had been formally reconciled with the facility’s own PCP verification obligations under SFCR.
Brand Owner A required ISO 17025 accreditation and full pathogen panels on all dry ingredients. Brand Owner B accepted supplier self-certification with no accreditation requirement. Brand Owner C had no documented COA requirements at all. The facility was attempting to satisfy three different sets of expectations simultaneously while maintaining a single PCP, and succeeding at none of them in a way that was audit defensible.
The resolution required establishing a baseline COA acceptance standard at the facility level that met or exceeded CFIA expectations for each ingredient category, independent of what any individual brand owner required. Brand owner requirements that exceeded that baseline were accommodated as additional conditions; requirements that fell below it were not accepted as the governing standard for CFIA purposes.
This approach clarified that the facility’s PCP verification obligations are regulatory, not contractual (brand owner agreements can add requirements but cannot reduce the facility’s SFCR compliance obligations). Working with an accredited laboratory partner to design a confirmatory testing program that satisfied both the most stringent brand owner requirements and CFIA expectations allowed the facility to consolidate testing spend while producing records usable across all three customer relationships.
Frequently Asked Questions
The questions below reflect common points of uncertainty among QA and food safety leaders working to formalize supplier COA integration within their PCP verification programs. The answers are intended as general educational guidance. Your specific program design should reflect your facility’s hazard analysis, product risk profile, and current regulatory context, developed in collaboration with your internal food safety team and, where appropriate, qualified external scientific and regulatory advisors.
Can I rely solely on supplier COAs for PCP verification of a critical control point?
No, and this distinction is important. A supplier COA can function as a verification input for incoming material control, but it is not a substitute for the validation and verification requirements associated with a Critical Control Point as defined in your HACCP-based PCP. If your CCP is a thermal kill step, for example, the verification of that CCP requires evidence that the step itself is performing as validated, not simply that incoming materials were tested.
Where supplier COA review is intended to serve as a prerequisite program control rather than a CCP verification activity, the role and limitations of that control should be clearly described in your PCP. For high-risk ingredients where microbiological status at receiving directly affects finished product safety, COA review combined with risk-based confirmatory testing by an accredited laboratory represents a more defensible approach than COA review alone.
What accreditation must a supplier’s lab hold for pathogen testing?
For pathogen testing results to carry meaningful weight as a COA verification input, the issuing laboratory should hold ISO/IEC 17025 accreditation from a recognized accreditation body (ideally an ILAC-member body) with a scope that explicitly covers the pathogen tested and the food matrix in question. General ISO 17025 accreditation without scope coverage for the specific test and matrix does not provide the same level of assurance.
When evaluating a new supplier’s laboratory credentials, request a copy of their current accreditation certificate and the associated scope document, and verify that the relevant tests appear within the accredited scope. For international suppliers, confirm that the accreditation body is an ILAC member, which supports mutual recognition of accreditation decisions across national boundaries.
How often should I conduct confirmatory testing against supplier COAs?
Confirmatory testing frequency should be risk-based and documented in your PCP or supporting supplier verification procedures. There is no single regulatory-prescribed frequency that applies universally; instead, the appropriate interval reflects the hazard profile of the ingredient, the consequence of a failure reaching your process, your supplier’s performance history, and whether the ingredient undergoes a validated kill step in your facility.
Common triggers and scheduling approaches include:
New supplier onboarding: confirmatory testing of initial lots before the supplier is fully qualified, regardless of ingredient risk tier
High-risk ingredients (post-lethality, RTE-destined): scheduled independent testing at defined intervals, commonly quarterly, but potentially more frequent for critical ingredients with limited supplier alternatives
Borderline or trending COA results: immediate confirmatory testing when supplier results approach specification limits, even if they remain within acceptance criteria
Supplier process changes: confirmatory testing following any notification of changes to the supplier’s manufacturing process, facility, or laboratory methods
Annual reassessment: review of confirmatory testing frequency as part of your annual PCP review, adjusted based on accumulated supplier performance data
The key principle is that confirmatory testing frequency decisions should be made proactively, documented in advance, and applied consistently, not triggered reactively only when something goes wrong. A testing schedule that exists only in someone’s judgment rather than in a written procedure is not a verification program; it is a practice that cannot be demonstrated during an inspection.
An accredited third-party laboratory can support this process by designing a confirmatory testing plan aligned with your ingredient risk categories, providing results on COA formats that integrate directly into your PCP records, and helping you interpret trend data over time to support supplier performance decisions.
What should I do when a supplier COA method differs from Health Canada references?
When a supplier’s laboratory uses a rapid or alternative method rather than a Health Canada MFHPB, AOAC, or ISO reference method, your acceptance criteria should require the supplier to provide method validation documentation demonstrating equivalency to the applicable reference method for the specific organism and matrix. AOAC Performance Tested Methods designation or AOAC Official Methods of Analysis status are recognized frameworks for this equivalency demonstration.
If the supplier cannot provide adequate validation documentation, treat the COA result as unverified for that parameter and require confirmatory testing using a reference method before releasing the material, particularly for ingredients in high-risk categories. Document your evaluation of the method question and the basis for your release or hold decision as part of the COA review record.
Does CFIA require electronic COA records or accept paper documentation?
CFIA does not currently mandate electronic record-keeping for COA documentation; paper records are generally accepted provided they are legible, complete, retained for the required period, and retrievable during an inspection. That said, the practical advantages of electronic systems (searchability by lot number, supplier, ingredient, or date; linkage between COA records and finished product batch records; trend analysis across multiple shipments) make electronic record management worth considering as an operational investment rather than a regulatory requirement.
Whatever format your records take, the critical requirements are completeness (the record captures all required evaluation points and the disposition decision), traceability (a specific lot can be located quickly and its verification history reconstructed), and retention (records are kept for the period required under SFCR for your license category).
How do I handle COAs from international suppliers using non-Canadian methods?
International supplier COAs frequently reference methods from national standards bodies (USDA, USFDA BAM, European EN ISO standards, or country-specific reference methods) rather than Health Canada MFHPB methods. In most cases, major international reference methods for common food pathogens and indicators are scientifically equivalent to Canadian reference methods, and results generated using them can be evaluated against your acceptance criteria with appropriate technical justification. However, that equivalency should be documented rather than assumed.
The practical approach is to maintain a method equivalency reference document in your supplier qualification files that identifies the international methods your suppliers use, their Canadian equivalents, and the basis for treating them as equivalent for your acceptance criteria purposes. For less common methods or unusual matrices, consult with your accredited laboratory partner to evaluate whether the method provides comparable analytical performance. Where equivalency cannot be established, require confirmatory testing using an accredited Canadian laboratory before material release.
For ingredients where the regulatory status of the supplier country is relevant (for example, ingredients from countries with different maximum limits for certain indicator organisms or different pathogen testing requirements), additional review is warranted. This is an area where the technical assessment intersects with import regulatory compliance under SFCR, and it may be appropriate to involve your regulatory affairs team alongside your food safety and QA leads.
What are the consequences of accepting a COA without proper review?
The consequences operate on two levels simultaneously. At the regulatory level, accepting materials without a documented formal COA review as described in your PCP creates a verification gap that is directly visible during a CFIA inspection. Depending on the severity and pattern of the gap, this can result in inspection findings ranging from observations requiring corrective action to more significant compliance outcomes under SFCR.
At the food safety level, the consequence is less predictable but potentially far more serious: a contaminated lot that was released because no one formally evaluated the COA, or because the COA itself was inadequate and that inadequacy was never identified, can enter your process and reach consumers. The traceability requirement that makes the regulatory consequence manageable is the same documentation system that allows you to act quickly when a food safety problem emerges. A facility without that system faces both problems at once, with fewer tools to manage either.
Building COA Review into Your Food Safety Culture
The technical framework for COA integration (the criteria, the review procedures, the confirmatory testing schedule, the documentation requirements) is necessary but not sufficient. A verification program that exists only in procedures and records, without being genuinely understood and applied by the people responsible for it, tends to degrade under operational pressure. Receiving is busy. Purchasing is managing relationships. QA is stretched across competing priorities. The COA review step, which requires judgment and carries real consequences, needs to be embedded in the operational culture of your facility rather than treated as a documentation obligation that runs parallel to real work.
Positioning Supplier Verification as Proactive Risk Management
One of the most effective reframes available to food safety leaders is shifting the organizational narrative around supplier COA review from compliance activity to risk intelligence. A well-designed COA review program generates data about your supply chain that is genuinely useful for operational decision-making: which suppliers are consistently meeting specification, which are trending toward limits, which are using methods that deserve closer scrutiny, and which ingredient categories carry the highest incoming hazard load. That data, trended over time and reviewed systematically, supports better supplier management decisions, more targeted confirmatory testing investment, and earlier identification of supply chain changes that could affect your food safety program.
When QA leaders present COA review to plant management and purchasing teams in this framing (as a risk intelligence function that protects the facility from supply chain surprises and supports better supplier conversations), it tends to receive more consistent organizational support than when it is framed as a documentation requirement imposed by regulators. The regulatory requirement is real and the documentation matters, but the operational value of systematic supplier data is what makes the program sustainable over time rather than something that is maintained just well enough to pass the next audit.
Training Purchasing and Receiving Teams to Recognize COA Red Flags
Purchasing and receiving personnel are typically the first points of contact with supplier COAs, and they are in a position to identify red flags that warrant escalation to QA before a material is released, if they know what to look for. Basic training for these teams should cover: how to confirm that a COA lot number matches the shipment documentation; how to check whether reported results include all required parameters; how to verify that the issuing laboratory is on the facility’s approved supplier lab list; and what the escalation path looks like when any of these checks raises a question.
This training does not turn purchasing or receiving staff into microbiologists, nor should it. It equips them to recognize when to pause and escalate rather than to conduct the formal evaluation themselves, which remains a QA responsibility.
Next Steps: Gap Assessment, Supplier Scorecards, and Accredited Lab Partnerships
If your current COA integration program has not been formally assessed against the framework described in this article, a structured gap assessment is a practical starting point. Map each incoming ingredient category to your hazard analysis, review your current acceptance criteria (or identify where they do not yet exist), evaluate your supplier laboratory accreditation files for completeness and currency, and assess whether your current confirmatory testing program (in terms of frequency, scope, and the accreditation status of the laboratory you use) provides the independent verification your PCP describes.
Supplier scorecards that incorporate COA performance data (trending results against specification, tracking the timeliness and completeness of COA submission, flagging method changes) provide a structured mechanism for translating your verification program into supplier management decisions. Suppliers with consistently strong COA performance and a track record that your confirmatory testing has validated can reasonably receive less intensive verification scrutiny than new or inconsistent suppliers. That risk-based differentiation is exactly what CFIA expects to see in a mature supplier assurance program, and it also makes your verification investment more efficient over time.
Cremco Labs supports Canadian food manufacturers in designing and executing the independent confirmatory testing component of supplier verification programs, with ISO/IEC 17025 accreditation, recognized reference methods, and COA documentation that integrates directly into PCP verification records. Visit https://cremco.ca/food-safety-testing/ to learn more about how Cremco Labs can support your supplier verification program with accredited microbiology testing and scientific study design guidance.