This book is written by an internal auditor for internal auditors. It isn't badly written, but it is turgid: I could take almost any sentence and reduce its length by a third.
So, if you're not an internal auditor, why read it? Frankly, because if you're a management consultant, it's quite a useful book (and can even be interesting). Reasons:
1. It's about internal control. Its main argument is that the COSO Framework for corporate governance is limited by its origins with the accounting profession and the Big Five; COSO is concerned primarily with internal accounting (financial) controls, only secondarily with the controls that constitute a governance framework.
2. It defines "internal control" in workable terms, proposing an alternative framework to COSO's. This framework can be exceedingly useful if you want to (1) place yourself and your consulting services in clear relation to what a business may need to have done and (2) develop checklists for diagnosing the ills of the client business.
3. It gives a thorough and even interesting account of the drivers and external stakeholders (the Foreign Corrupt Practices Act, Federal Sentencing Guidelines, the GAO, FDIC, the professional accounting organizations, etc.) influencing internal control accountability.
4. It provides deep insight into the auditor's job and the business's expectations. It provides sets of sample questions that the auditor might ask, as well as sample text for reports.
Of course, the book has some limitations. For one thing, it was published in 1998. This is not to say that it is out of date. But much has happened since, and an update would be valuable, especially since COSO has just issued (May 2013) an update to both the Framework and the Illustrative Tools for Assessing Effectiveness.
Let me propose some topics, then, for graduate theses:
1. Map the book's framework to
a. The Balanced Scorecard: Translating Strategy into Action
b. Enterprise Architecture As Strategy: Creating a Foundation for Business Execution
2. Apply its insights to
a. The mortgage lending and subprime derivatives crisis (Root discusses the S&L crisis of the 1980s and '90s as well as the derivatives scandals of the 1990s, e.g. Procter & Gamble, Barings, Sumitomo.)
b. The collapse of Enron (Root discusses the McKesson & Robbins fraud of the 1930s, as well as the place of business ethics and the "tone at the top," set by the CEO, in achieving effective corporate governance.)
Beyond COSO does have a few holes in its coverage.
1. Organizational change management is not mentioned--but, then, management implementation of changes proposed by Audit is not really within the book's scope.
2. For all its discussion of risk management and "chaos theory" (the inevitability of unpredictable, unfortunate events), there is surprisingly little attention given to contingency planning, incident management, and disaster recovery. It is as if internal control is inherently concerned only with the normal, repeating, and therefore predictable operations of the business. Succession planning gets attention, but it is never related to sudden death.