ISO/IEC 17025 and chain of custody: how to audit a report

SUBJECT 157 • RESEARCH ID

S157-2025-ART6560-RJ

Practical auditing of reports: traceability, method, primary data and falsification flags.

Abstract - An analytical report is only useful if it is auditableclear method, traceability, document integrity and minimum evidence of laboratory competence. Certification ISO/IEC 17025 helps to reduce noise, but is no substitute for operational auditing: what matters is the chain of custody (where the sample came from, who received it, how it was identified, how it was tested, how it was reported). This guide establishes a "S157 checklist" for auditing reports (COAs, HPLC/LC-MS reports, endotoxins and sterility), explains typical falsification flags and links the process to the COA Auditor, to Lexicon, à Peptide Database and Lab Tools.

Operational Note:
"ISO/IEC 17025" is not a magic stamp. The real value is in: traceability, chain of custody, method described, primary data (e.g. chromatograms/spectra) and coherence between sample → test → result → signature. Use this article as a checklist before accepting any "99% purity".

1) What ISO/IEC 17025 really means (and what it doesn't)

1.1 What it means

ISO/IEC 17025 is a standard for competence of testing and calibration laboratories. In practical terms, it indicates that the laboratory operates with management system requirements and technical requirements (competence, validation of methods, calibration, metrological traceability, internal quality control and treatment of uncertainty where applicable).

1.2 What it doesn't mean

No guarantee that a specific report is authentic (a PDF can be falsified).
No guarantee that the method used is "ideal" for your question (e.g. HPLC without LC-MS does not confirm identity).
No guarantee that the sample sent to you is the same thing they sold you (chain of custody failure).
Does not eliminate biological risks (sterility/endotoxins are other tests).

Related terms in Lexicon: ISO 17025, Traceability, Batch, COA.

2) Chain of custody: the "skeleton" of trust

Chain of custody is the record of the sample's journey: who collected it, how it was sealed, how it was identified, when it was received, how it was stored, who handled it, what aliquots were made and when the tests were carried out. Without this, a result can be technically correct - but applied to the wrong sample.

2.1 The bare minimum

Unique sample identifier (Sample ID) and lot/batch (where applicable).
Date/time of receipt and condition of the sample (seals, integrity, temperature, state).
Who received and responsibility (signature/name/ID).
Storage conditions before testing (e.g. 2-8°C, protected from light).
Preparation log (reconstitution/dilution) when relevant.

2.2 Where the chain of custody usually "dies"

Seller's COA no proof that the sample tested was your batch.
Generic" report (no Sample ID, no dates, no traceable signature).
Beautiful" PDF with graphics without metadata, without method and without reference to accreditation.

Shortcut S157:
If the report doesn't allow you to call "vial → batch → sample → method → data → result" continuously, treats it as marketing materialnot as evidence.

3) Checklist S157: audit a report in 8 layers

Layer 1 - Document identity

There is report number (Report No.) and numbered pages (e.g. Page 1 of 3)?
There is date of issue and test date (not just "Printed on")?
Is the layout consistent (typography, alignment, logos, footers), with no obvious signs of editing?

Layer 2 - Sample identification

Sample ID unique, description, matrix (powder/solution), quantity received.
Batch/Lot when applicable (and consistent with the bottle).
Chain-of-custodyreception, condition, storage.

Layer 3 - Laboratory credentials (without "blind faith")

Legal name of the laboratory, address, contact details.
Accreditation declaration ISO/IEC 17025 with scope (what is covered).
Where possible: verifiable accreditation reference (national authority/body).

Note: laboratories can be "good" without 17025 for certain tests, but you have to compensate with more transparency of method and primary data.

Layer 4 - Method (the "how")

high-performance liquid chromatographycolumn, solvents, gradient, flow, detector (λ), temperature, run time, sample preparation.
LC-MSionisation type, mode, m/z range, resolution, LC conditions, deconvolution/charge states.
Endotoxins/Esterilitymethod (LAL/alternatives), limits, conditions, incubation times.

If the report only says "HPLC purity: 99.2%" without a chromatogram and without a method: that's a orphan metric.

Layer 5 - Primary data (the "show me")

Chromatogram with readable axes, identifiable peaks and visible baseline.
MS Spectrum or mass table with charge states and deconvoluted mass.
When there is quantification: standards, calibration, controls/QC.

Use the COA Auditor for a quick review and validation of terms/flags in the Lexicon (e.g: Chromatogram, Baseline Noise, Retention Time).

Layer 6 - Results and interpretation (the "so?")

Purity (Area%) explained as a relative metric.
Identity confirmed by mass (LC-MS) when applicable.
Limits, uncertainty/precision when relevant, and acceptance criteria.

Layer 7 - Signatures and responsibility

Signature (digital or physical) of the analyst/reviewer, with name and function.
Disclaimer and restrictions of use ("For research use only", etc.).

Layer 8 - External coherence (the "does it match the real world?")

Does the compound exist and make sense in your context? Check it out on Peptide Database.
Is the method suitable for the type of molecule (peptide, small molecule, salt, conjugate)?
If it's fragile: is there any mention of storage/cold chain? See Information Use Policy and Lab Tools.

4) Classic red flags for counterfeiting or "marketing report"

PDF without primary data (no chromatogram/spectrum), just a table.
Same chromatogram repeated for different substances (identical layout, identical noise, identical times).
Perfect" baseline and peaks that are too "clean" without realistic noise.
No Sample IDdates, signature or method.
Inconsistency between batch in bottle vs. batch in report.
ISO 17025 declaration no scope/no traceability (only "certified").

Rule of thumb:
The "shorter" and "prettier" the report, the more likely it is to be leaflet. Useful reports tend to be "boring": method, data, pages, IDs, signatures.

5) HPLC + LC-MS + biology: the trio that avoids surprises

Even a sample with "ok" identity/purity can fail due to biological risk. For sensitive studies, consider:

Endotoxins (LPS): relevant inflammatory impact.
Sterility: culture/incubation and formal reporting.
Storage/handling: cold chain, freeze-thaw, reconstitution. See Lab Tools and Lexicon.

6) Integration with the S157 internal stack (useful backlinks)

Quick audit: COA Auditor
Tactical definitions: Tactical Lexicon
Context by substance: Peptide Database
Operational tools: Lab Tools and U-100 Calculator
Policies and security: Information Use Policy and Privacy Policy

7) Conclusion

Accreditation ISO/IEC 17025 is a good filter, but operational trust comes from a continuous chain of evidence: identified sample, documented custody, explicit method, primary data, responsible signature and external coherence. If one of these parts fails, the report loses its usefulness - and becomes just a promise in a PDF.

References

ISO/IEC. ISO/IEC 17025: General requirements for the competence of testing and calibration laboratories(Current edition).
Eurachem. The Fitness for Purpose of Analytical Methods. Eurachem Guide.
Snyder LR, Kirkland JJ, Dolan JW. Introduction to Modern Liquid Chromatography. 3rd ed. Wiley; 2010.
Niessen WMA. Liquid Chromatography-Mass Spectrometry. 3rd ed. CRC Press; 2006.

For educational and research purposes only. This article is for documentation, analysis and harm-reduction context. It is not medical advice and does not provide dosing instructions.

Inner Circle

Intelligence Feed.

Receive security alerts, new COAs and protocol updates. Direct access to tactical data.

🔒 OpSec Guaranteed. Unsubscribe anytime.