Which internal control framework is commonly used in U.S. public companies for governance and reporting?

COSO is the framework commonly used in U.S. public companies for governance and reporting because it provides an integrated approach to designing and evaluating internal controls over financial reporting (ICFR). Developed by the Committee of Sponsoring Organizations of the Treadway Commission, it is the de facto standard referenced by regulators and auditors under Sarbanes-Oxley for ensuring reliable financial statements and strong governance. The model outlines five interrelated components—control environment, risk assessment, control activities, information and communication, and monitoring—that work together to establish and maintain effective internal controls. Other frameworks address different areas: ISO/IEC 27000 focuses on information security management, COBIT emphasizes IT governance and management, and PCI-DSS targets security for payment card data. Thus, COSO best fits the governance and reporting context for U.S. public companies.