The Bosch enforcement action is, at one level, an export controls case. But for compliance professionals, it is also a communications failure. More specifically, it is a case study in what can happen when a company receives significant external compliance information but does not treat that information as control-relevant intelligence.
That is why COSO 2013 Objective IV, Information and Communication, is such a useful lens for the penultimate post in this Bosch series. COSO Objective IV states that management must obtain or generate and use relevant, quality information from both internal and external sources to support the functioning of internal control. It also describes communication as a continual, iterative process of providing, sharing, and obtaining necessary information. External communication is expressly twofold: it enables inbound communication of relevant external information and allows the organization to provide information externally in response to requirements and expectations.
That framework maps directly onto Bosch. The issue was not that Bosch lacked all information. The issue was that Bosch lacked an effective system to recognize, escalate, reconcile, and act on information it already had. The thesis is simple: Bosch failed to treat third-party communications as control information under COSO Principle 15. The Bosch order illustrates what a Principle 15 failure can look like in practice.
Principle 15: External communication is not just outbound messaging
Principle 15, “Communicate Externally,” is sometimes understood too narrowly. Companies often think of external communication as pushing information outward: codes of conduct, supplier expectations, hotline information, compliance certifications, contractual clauses, and policy requirements. Those are important. But they are only half the principle.
The COSO summary makes clear that Principle 15 also recognizes that outside parties can provide information to management about the effectiveness of internal controls and regulatory communications. In other words, third parties are not only recipients of compliance expectations. They can also be sources of control information. Compliance officers must evaluate communication lines to third parties because information can flow both ways: compliance obligations can go out, and compliance issues can come back.
That is the key Bosch lesson. Bosch’s suppliers and contract manufacturers were not merely exchanging paperwork. They were providing information that challenged Bosch’s existing compliance conclusion. They were telling Bosch, in substance, that something about the Huawei analysis might be wrong. Under Principle 15, those communications should have entered a controlled process for review, escalation, reconciliation, and documented decision-making.
As noted in the BIS-Bosch Order, Bosch continued to rely on erroneous guidance for more than four years despite indications that should have raised questions about the accuracy of the original August 25, 2020 guidance.
Company Four: the first external warning
Company Four sent BST’s ( a Bosch subsidiary named in the Order) purchasing department a letter on September 2, 2020. It explained the relevant rule and advised BST that it should assume the equipment involved in Company Four’s assembly and test processes triggered the relevant product-scope provisions. Company Four also requested that BST complete a compliance certification addressing whether products processed by Company Four would be incorporated into items produced, purchased, or ordered by Huawei, or whether Huawei was a party to any transaction involving Company Four’s product.
That communication should have been treated as a control event. It came from an external party with direct knowledge of its own production and testing environment. It raised a specific compliance concern. It requested a certification. It implicated a high-risk customer. It was precisely the kind of external information Principle 15 expects a company to receive, process, and use.
Bosch’s response illustrates the failure. BST’s purchasing and logistics personnel forwarded the letter to the BST Executive. Bosch trade compliance personnel in Germany then drafted a general but inaccurate response stating that BST’s transactions were compliant and that Company Four’s products were not incorporated into, or used in, products subject to the EAR. Company Four pushed back, noting that the response did not expressly address the recent Huawei-related changes and explicitly warning that equipment used at Company Four factories included U.S. export-controlled equipment. Company Four further said BST should assume that transferring products worked on by Company Four to or for Huawei might be prohibited. BST purchasing personnel took no further action, and BIS found that Bosch did not analyze the Company Four warning to determine whether Bosch’s own understanding was consistent with Company Four’s warning.
For CCOs, this is the moment Principle 15 becomes operational. An inbound external communication that contradicts internal guidance should trigger a defined escalation pathway. It should not depend on whether purchasing personnel recognize the legal significance of the warning.
Company One: the certification that should have forced reconciliation
Company One’s February 2021 certification request presented another clear opportunity. Company One asked personnel at a Bosch production facility to complete an end-user certification in connection with items produced using Company One’s epitaxy machines. The certification required Bosch personnel to acknowledge that direct products of the machines could be subject to a license requirement if the relevant rule applied. It also asked Bosch personnel to certify that the machines would not be used in production or development of items produced, purchased, or ordered by an entity with a footnote 1 designation.
This was not routine vendor paperwork. It was a third-party control communication requiring a representation from Bosch. Bosch personnel asked German trade compliance for advice. A Germany-based trade compliance employee correctly advised that Huawei was a footnote 1 entity and that products manufactured with Company One’s equipment must not be involved in business activities with Huawei if the document was to be signed. Yet when the BST Executive separately learned of the certification request, he provided the production facility personnel with the earlier August 25, 2020 email stating that the rule did not affect BST products. The production personnel then signed the certification without reconciling the conflicting guidance and the specific warning provided by Company One.
This is a classic internal-control breakdown. The external communication entered the organization. Compliance was consulted. A relevant warning was generated. But the organization lacked a mechanism to force reconciliation between the supplier certification, the newer internal advice, and the original advice. Principle 15 requires communication lines that allow external information to inform management’s understanding of control effectiveness. Here, the warning was received but not converted into action.
Company Five: the warning Bosch treated as a supplier problem
Company Five’s communication in June 2023 was even more striking. In connection with onboarding Company Five as a new contract semiconductor manufacturer, Company Five told BST that BST would not be able to provide products containing items manufactured by Company Five to Huawei without appropriate authorization. When BST procurement asked why, Company Five cited the relevant rule and referenced the $300 million Seagate penalty for sales to Huawei without authorization.
That should have triggered a broader question: if Company Five believed its manufacturing process created a restriction, why would Bosch assume that similar risks did not exist with other suppliers or contract manufacturers?
Instead, the response became supplier-specific. A Bosch trade compliance professional in Germany advised that Company Five’s position was based on its internal policy and not compelled by U.S. export requirements. BST’s Managing Director responded that Company Five’s position made it an unsuitable supplier. BIS found no evidence that BST management, procurement, or trade compliance personnel made appropriate efforts to understand why the restrictions cited by Company Five would not affect BST’s other suppliers or Bosch’s ability to sell sensors to Huawei.
For a CCO, this is a critical lesson. Third-party resistance is often compliance data. When a supplier refuses to proceed, demands a certification, cites a regulatory issue, or references a peer enforcement action, the company should not dismiss the issue as the supplier’s internal policy. It should ask whether the supplier has identified a risk that the company has missed.
Contract manufacturer certifications: repeated paperwork, repeated missed signals
Between 2021 and 2024, BST employees signed multiple compliance certifications for two contract semiconductor manufacturers involved in the BST Sensor production process, including Company Two. Each certification noted that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to a footnote 1 entity. The relevant BST personnel later explained that they signed the certifications because they did not understand that Huawei was a footnote 1 entity.
That fact is particularly important for compliance professionals because it shows how external communication failures often begin in business functions. Procurement, logistics, supply chain, legal, contract management, production, and customer-response personnel may be the first employees to receive a supplier warning or sign a certification. If they do not understand escalation triggers, the compliance function may never receive the information in a usable form.
Principle 15 therefore requires more than an external-facing policy. It requires training and controls around inbound third-party information. Employees need to know that certifications, supplier refusals, regulatory references, customer warnings, and contract clauses may be compliance intelligence.
Lessons learned for compliance professionals
- Express third-party compliance communications as control information. Supplier letters, certifications, onboarding objections, contract restrictions, and compliance representations should be categorized, tracked, and reviewable.
- Build escalation triggers. Any third-party communication that references a restricted customer, government list, license requirement, blocked transaction, sanctions/export rule, enforcement action, or inability to proceed should require escalation to compliance or legal.
- Require the reconciliation of conflicting information. When external warnings conflict with prior internal advice, the prior advice should not automatically control. The company should document the conflict, identify the owner, obtain subject-matter review, and record the final rationale.
- Train the first receivers. CCOs should ensure that procurement, logistics, supply chain, legal, production, and contract management personnel know when third-party communications are not merely commercial communications. They need practical examples and clear escalation channels.
- Track certifications centrally. Certifications signed by business personnel should be stored, searchable, and periodically reviewed by compliance. Repeated certifications on the same topic should be treated as a pattern, not isolated paperwork.
- Treat supplier refusals as red flags. When a supplier will not support a transaction because of a compliance concern, the response should not be limited to replacing the supplier. Compliance should ask whether the supplier has exposed a broader control gap.
- Close the loop. Principle 15 is not satisfied when a third-party warning is forwarded. It is satisfied when the company receives the information, evaluates it, escalates it, acts on it, and documents the decision.
- Test the system. A CCO should be able to ask: Can we identify all third-party compliance warnings received in the last year? Who reviewed them? Which were escalated? Which changed a control, a customer decision, a supplier decision, or a legal conclusion?
The Bosch order demonstrates that compliance failures do not always arise from a lack of information. Sometimes the information is already inside the company. The failure is the absence of a system to recognize it, escalate it, and act on it. That is the core Principle 15 lesson, and it is one every CCO should take seriously.
