The aim of this research is to explore the factors influencing enterprise risk management and auditing mechanism of internal control in the internet of things (IoT) environment. Applying a qualitative research approach and following the Gowin's Vee research strategy, firstly, this study reviewed the relevant literature and used the Delphi expert assessment method to identify risk factors as well as auditing items in the IoT environment. Secondly, according to the nature of eight types of intersecting risks and internal control framework of COSO 2013, this study constructed the three lines of defense in effective risk management and internal control mechanism based on the evaluation criteria of Capability Maturity Model Integration (CMMI). Lastly, this research conducted empirical case study from three enterprises to verify that whether the risk factors and auditing mechanism can be effectively used for internal risk control assessment within the corporation. The audit mechanism established in this study and the empirical process of case study can be referenced by academia for enhancing the knowledge of qualitative research, and also by industries as IT governances in the IoT environment.