Cannabis Testing Lab Compliance: What Actually Gets Labs Cited
Cannabis testing lab compliance failures follow predictable patterns. Learn the four areas regulators scrutinize most and how to close those gaps before an audit.
Cannabis testing lab compliance sounds complicated, but most citations come from the same handful of issues — and once you know what inspectors are actually looking for, they're very fixable.
Chain of Custody Gaps Are Still the #1 Citation Driver
Every cannabis testing program — whether it's California's BCC, Colorado's CDPHE, or Michigan's MRA — requires labs to document sample custody from intake to disposal. Yet chain of custody gaps remain the leading cause of compliance findings year over year.
The problem usually isn't carelessness. It's paper-based or partially digital workflows that leave handoffs undocumented. A sample gets transferred between analysts, or moved to a different storage unit, and nobody logs it because it felt obvious in the moment.
What inspectors want to see:
- A timestamped record every time a sample changes hands or location
- Who accepted the sample and their credentials
- Storage conditions logged continuously (temperature, humidity where applicable)
- A clear link between the received sample and the final COA
If you're still using a sign-out binder, this is the gap that will hurt you most.
OOS Results Without a Defensible Investigation
Out-of-spec results in cannabis testing — a potency value that's suspiciously high, a pesticide hit near the action level — trigger scrutiny fast. The problem isn't the OOS result itself. It's what labs do (or don't do) after.
Take a real scenario: Green Valley Analytics in Sacramento flags a THC result of 38.4% on a flower sample where the client's historical batches run 22–25%. A quick retest comes back at 23.1%. They report the retest, close the record, and move on. No root cause. No documentation of the investigation steps. That's exactly what gets labs cited.
A defensible OOS investigation needs at minimum:
- A Phase I review (instrument check, calculation review, analyst error assessment)
- A Phase II retest with a fresh aliquot if Phase I finds nothing
- A documented conclusion — even if the conclusion is "cause undetermined"
- A CAPA if the same root cause keeps appearing
This is where a LIMS with built-in OOS flagging earns its keep. Aliquora, for example, automatically flags results that fall outside defined limits and prompts the analyst to open an investigation record before the result can be approved — so the step doesn't get skipped under deadline pressure.
COA Accuracy and Traceability
Certificates of Analysis are the final deliverable, and regulators treat them as legal documents. Common problems:
- Method version mismatch: The COA references SOP-PEST-04 but the lab is already running SOP-PEST-05. Small thing, big flag.
- Instrument ID not captured: The report doesn't tie back to which specific GC-MS or HPLC ran the sample. If that instrument later has a calibration failure, you can't identify affected batches.
- Analyst signature gaps: Electronic signatures need to meet your state's requirements — a typed name in a PDF comment field usually doesn't qualify.
Before every COA goes out, someone should verify that the method version, instrument ID, analyst credentials, and result units all match the underlying raw data. Automating that check beats relying on memory at 5 PM on a Friday.
Audit Trail Integrity — The Quiet Disqualifier
This one doesn't get talked about enough. A lot of states now require that audit trails be complete, tamper-evident, and readily retrievable. If a regulator asks to see every change made to a specific sample record over the last 90 days, can you pull that in under five minutes?
Common audit trail failures:
- Shared login credentials (you can't attribute edits to a specific person)
- Data edited directly in spreadsheets with no change history
- Records deleted rather than voided with a reason logged
The fix isn't exotic. You need individual logins, role-based permissions, and a system that records who changed what and when — with the original value retained. Whether that's a proper LIMS or a rigorously controlled document management system, the requirement is the same.
Frequently Asked Questions
What certifications do cannabis testing labs typically need?
Most states require ISO/IEC 17025 accreditation through a body like A2LA or Perry Johnson Laboratory Accreditation. Some states have their own lab licensing on top of that. Check your specific state cannabis authority's requirements — they vary more than you'd expect.
How often do cannabis testing labs get audited?
Accreditation audits typically happen annually or biennially depending on your accreditation body. State cannabis regulators may conduct unannounced inspections on a separate schedule. High complaint volumes or OOS reporting anomalies can trigger off-cycle visits.
What's the difference between a COA and a lab report in cannabis testing?
In cannabis testing, the terms are often used interchangeably, but technically a COA is the final, signed document released to the client confirming the sample meets (or fails to meet) regulatory limits. A lab report may refer to internal data that hasn't been through final review yet.
Can a cannabis lab get decertified for a single OOS event?
Rarely for one event — but patterns matter. A single OOS with poor documentation is a warning. Repeated OOS results without root cause investigations, or evidence of result manipulation, can lead to suspension or decertification.
What's the most common reason cannabis labs lose accreditation?
Based on publicly available enforcement actions, the most common reasons are failure to maintain adequate quality systems (including missing or incomplete SOPs), proficiency testing failures, and data integrity issues — not technical method failures.
Related reading
Cannabis Testing Lab Compliance: What Directors Must Know
Cannabis testing lab compliance failures trigger license suspensions and recalls. Here's what lab directors need to audit, fix, and document right now.
Read Food SafetyFood and Beverage QC Essentials: 10-Point Checklist
Master food and beverage QC with this practical 10-point checklist covering sampling, OOS flagging, COA generation, and audit trail requirements.
Read COA GenerationCOA Design: Common Pitfalls and How to Fix Them
Poor certificate of analysis design costs labs audits and customer trust. See how Meridian BioAnalytics overhauled their COA process and what changed.
Read