This has always been my favorite book on internal control processes. What I particularly like about it is the way that it espouses controls that generate other controls. I know I've likely lost the average book review reader already, but I'll explain.
Internal control is a phrase used to explain all the things that one does in a business to ensure that the organization is meeting its objectives. The term "business risk" is used to indicate the uncertainty that surrounds the achievement of goals. Controls are how you ensure that the many activities that make up the firm stay within certain desired bounds. Controls are also how you attempt at dealing with unpleasant asynchronous surprises such as workplace injury, economic disruption, cyber threats, and so on.
The author presents an extensive set of example controls with plenty of guidance to give shape to reasonable controls you can operate in your business. The writing is quite clear and the author is one of very few that is doing something other than parroting the usual received wisdom.
I've spoken with and corresponded with this author and found him to be intelligent, generous with his time, and way outside that received-wisdom crowd. He operates a useful website and you can find routine publications on or for various government bodies, corporations, etc. He's the real deal.