Cannabis Testing Lab Compliance: What Actually Gets Labs Cited
Cannabis testing lab compliance trips up even experienced teams. Here's what regulators actually flag—and how to fix it before your next audit.
Cannabis testing lab compliance isn't just about running the right assays—it's about proving you ran them correctly, every single time. In this post, we'll walk through the most common compliance gaps regulators find in cannabis labs, and what you can do about them before someone hands you a deficiency notice.
Why Cannabis Lab Audits Hit Different
Most lab directors I talk to have experience with ISO 17025 or CLIA audits. Cannabis is a different animal. You're often dealing with state-specific rules that were written fast, updated frequently, and interpreted differently by different inspectors.
In many states, cannabis testing labs answer to an agriculture department, a cannabis control board, and sometimes a health department—simultaneously. Each one may have its own forms, its own definitions of what a "passing" COA looks like, and its own documentation preferences.
The compliance burden is real. The good news is that most citations come from a pretty short list of recurring problems.
Chain of Custody: Where Most Labs Bleed Points
Ask any cannabis compliance inspector what they look for first, and the answer is almost always chain of custody. Not because labs are doing anything shady—but because the paperwork is messy.
Common chain of custody failures include:
- Gaps in handoff signatures. Sample arrives, intake tech logs it, but there's no signature from the person who transported it from the intake area to the prep bench.
- Time discrepancies. The submission form says 9:14 AM, the LIMS log says 9:47 AM, and nobody documented why.
- Missing sample condition notes. If a sample arrived with a damaged seal or at the wrong temperature, that needs to be captured at intake, not reconstructed later.
Fix this by building your intake SOP around the assumption that every data point will be cross-referenced against your system timestamps. If your LIMS is auto-timestamping logins and sample events, you need your paper process to match that granularity.
Sample Integrity Flags That Regulators Love to Find
A related problem is sample integrity documentation. Let's say a flower sample arrives with visible moisture condensation inside the bag. Your tech notes it verbally, runs the sample anyway, and it passes. Great—until an inspector asks where that observation is documented.
If it's not in the record, it didn't happen. Build a mandatory intake checklist that captures condition observations as structured data, not free-text comments buried in a notes field nobody reads.
OOS Results and the Cannabis Lab Trap
Out-of-spec (OOS) handling in cannabis testing has a specific compliance trap that bites labs regularly: retesting without a documented rationale.
Here's how it usually plays out. A potency result comes in high—above the state action limit for THC in an edible, say. The analyst reruns it. The retest comes in lower. Lab reports the lower number. Problem solved, right?
Not if there's no investigation record explaining why the retest was valid. Regulators want to see:
- The original result flagged as OOS
- A Phase I investigation (was it a lab error—instrument malfunction, sample prep issue, transcription mistake?)
- A documented decision on whether the retest is scientifically justified
- The final reported result tied to that investigation
Without that paper trail, it looks like you shopped for a passing result. Even if your intentions were completely clean.
What a Defensible OOS Record Looks Like
Take a hypothetical: Green Apex Analytics in Colorado gets a potency result of 32.4% total THC on a concentrate with a label claim of 28%. The state threshold triggers an OOS flag. The analyst checks the instrument log, finds a calibration drift event logged that morning, documents it, reruns the calibration, and reruns the sample. Result comes back at 27.9%.
That's a defensible retest—because there's a documented instrument-side cause for the original aberrant result. The key is that the cause was identified before the retest, not invented after.
If your LIMS auto-flags OOS results and opens an investigation workflow, this process becomes hard to skip accidentally. If you're doing it manually, build a locked template that requires fields to be completed before a retest can be authorized.
COA Generation: The Details That Sink You
Certificates of Analysis are the public face of your lab. They're also one of the most-cited deficiency areas in cannabis lab audits—not because labs are faking results, but because COA formatting requirements are surprisingly specific and vary by state.
Things to double-check on every COA template:
- Accreditation number and scope. Some states require the specific accreditation scope listed on the COA itself, not just the lab name.
- Sampling method reference. Who collected the sample? Using what protocol? That often needs to be referenced.
- Uncertainty of measurement. A growing number of state programs are requiring measurement uncertainty to appear on COAs for potency assays. If yours doesn't include it yet, check your state regs now.
- Analyst signature vs. authorizing signature. Some states require a separate review/approval signature from a lab director or QA manager. One signature isn't always enough.
- Result units and detection limits. Reporting "ND" without specifying the LOD or LOQ in the same document is a common flag.
Run your current COA template against your state's most recent guidance document. Regulations get updated more often than most labs refresh their templates.
Audit Trails: The Compliance Feature Labs Forget to Use
Every modern LIMS has an audit trail. Not every lab uses it the way auditors expect.
An audit trail should capture who changed what, when, and—critically—why. That last part is where a lot of labs fall short. A system log that shows "result edited by user jsmith at 14:32" is better than nothing, but it doesn't tell the inspector why the edit happened.
Best practice is to require a reason code or free-text justification any time a result or sample record is modified after initial entry. Some labs set this up as a mandatory field that can't be bypassed. Others use a tiered approach: minor edits (typos, unit corrections) get a reason code; result changes get a full deviation record.
Also worth reviewing: who has permission to edit what. If analysts can edit their own finalized results without QA review, that's a finding waiting to happen. Role-based access controls aren't just an IT nicety—they're a compliance requirement in most accreditation frameworks.
A LIMS like Aliquora handles this with configurable role permissions and audit trail entries that require a reason on any post-approval edit, which makes it much harder for well-intentioned shortcuts to turn into inspection findings.
Method Validation and Scope Creep
One underappreciated compliance risk in cannabis labs is running methods outside your validated scope.
Here's a scenario: your lab is accredited for potency, terpenes, residual solvents, and pesticides. A client asks about mycotoxins. Someone on your team has run mycotoxin assays before. You have the instrument. So you run it, issue a COA, charge for it.
If mycotoxins aren't in your accreditation scope, you just created a major compliance problem—regardless of whether the result is accurate.
This is scope creep, and it's more common than labs want to admit. The fix is simple but requires discipline: maintain a posted list of your accredited analytes and matrix combinations, and build a client intake step that flags any request outside that scope before work begins.
When Clients Push for Faster Turnaround
Scope creep often happens under client pressure. A client needs results in 24 hours for a product launch. Your standard turnaround is 3-5 days. Someone shortcuts the sample prep or skips a QC check.
This is where your SOP structure matters more than your relationships. If a step is required by your method, it has to happen regardless of client timeline. Document your turnaround commitments clearly in your service agreements and don't let sales pressure override QC gates.
Building a Pre-Audit Checklist That Actually Helps
Most labs do some version of internal audit prep. The ones that do it well tend to use a checklist that's built around their state's specific inspection form—not a generic ISO 17025 template.
If your state cannabis regulatory body publishes its inspection checklist (many do), print it out and go through it with your QA manager quarterly. If they don't publish it, request it. It's usually a public record.
Focused pre-audit areas for cannabis labs:
- Chain of custody records for the last 90 days—are timestamps consistent?
- OOS log—is every flagged result tied to a closed investigation?
- COA archive—do your issued COAs match your current template requirements?
- Proficiency testing records—are your PT scores current and documented?
- Personnel training files—are competency assessments current for all testing staff?
Make this a standing agenda item, not a fire drill. Labs that treat internal audits as real audits rarely get surprised by the real thing.
Frequently Asked Questions
What are the most common cannabis testing lab compliance violations?
The most frequently cited issues are chain of custody gaps, inadequate OOS investigation documentation, and COA formatting errors—specifically missing accreditation details, incorrect units, or absent measurement uncertainty statements. Personnel training record deficiencies are also consistently flagged.
Do cannabis testing labs need ISO 17025 accreditation?
It depends on the state. Many states require or strongly prefer ISO 17025 accreditation for cannabis testing labs as a condition of licensure. Others have their own accreditation programs or accept accreditation from bodies like A2LA or Perry Johnson. Check your state cannabis control authority's current requirements—this area is still evolving.
How should a cannabis lab handle an OOS result on a potency test?
First, flag the result in your system immediately. Then conduct a Phase I investigation focused on lab-side causes: instrument performance, sample prep, analyst error, or calculation issues. Only if a root cause is identified and documented should a retest be authorized. Report the final result with the investigation record attached.
How often do cannabis testing labs get audited?
This varies significantly by state. Some states conduct annual facility inspections; others do audits on a complaint basis or during license renewals. Labs operating under ISO 17025 through an accreditation body typically undergo surveillance audits annually and full re-assessments every few years. Treat your accreditation audit cycle as your minimum—internal audits should happen more frequently.
What should a cannabis lab COA include to be compliant?
At minimum: lab name, accreditation number and scope reference, sample identifier and client information, collection and receipt dates, test methods used, results with units, LOD/LOQ for each analyte, measurement uncertainty (where required by state), and authorized signatures. Always cross-reference against your specific state's current COA requirements, as these vary and are updated regularly.
Related reading
Cannabis Testing Lab Compliance: What Actually Gets Labs Cited
Cannabis testing lab compliance failures follow predictable patterns. Learn the four areas regulators scrutinize most and how to close those gaps before an audit.
Read Cannabis TestingCannabis Testing Lab Compliance: What Directors Must Know
Cannabis testing lab compliance failures trigger license suspensions and recalls. Here's what lab directors need to audit, fix, and document right now.
Read COA GenerationCOA Design: How to Build a Certificate of Analysis That Passes Audits
Learn how to design a Certificate of Analysis that satisfies regulators, clients, and auditors — with step-by-step guidance and common formatting pitfalls to avoid.
Read