In recent years, information technology has been continuously changing. With the popularity and rapid development of mobile applications, the economy and society have undergone structural changes. The significant changes in e-commerce, community commerce, or online/offline consumer behaviors, which create new business opportunities and business models for many companies, but also brought more unpredictable risks or threats of uncertainty to the company. In terms of business development, information technology risks and information security challenges have become more and more serious, adding even more uncertainty, complexity, and crises to the company. Especially on information security and privacy protection issues such as digital fraud or crime have become the key issues that businesses headache today. Therefore, the business urgently needs detection of information risk, a strategy of information control, and information security management mechanism to deal with it, especially for enterprises engaged in online/offline integration. The purpose of this research is to develop an internal control, audit, and risk management mechanisms for corporate, to ensure that the operations and information risks are within control. Due to the information technology fast-growing, the complexity, risk control, and the need for auditing of information systems are increasing. The data accuracy and the information risks control, directly or indirectly, affect the accuracy and reliability of financial statements, and this considered as the top priority of the enterprise. Therefore, the business management level needs to pay attention to the risks where surrounding enterprise externally or internally to establish a complete mechanism for information system control, such as crisis detection, prevention, warning, audit, and control to deal with it. The hope for this research is to study relevant articles in information security, risk management, and strategic planning to cooperate with practice to propose strategic planning and models that are consistent with the application of corporate information internal control and information security fields. And also combine with a case study to verify the research proposal feasibility and suitability. In addition to literature, research summarizes expertise opinion and information system auditing perspectives to cooperates with information technology audits and risk control models. Distinguish internal and external information risk to establish an information risk pressure factor. Analyze information risk results, to develop a process or method of information internal control and information security audit to plan a suitable solution for enterprise information, internal control, and information security strategy. Through the case study, to discussing the information internal control and security issues, and how to follow the strategic plan and the process to measure priority and implementation to the company to verify the applicability and effectiveness of information risk control and security management. With the increase of information security risk and threat, organizations must have a methodology to follow and an appropriate plan for information internal control and information security strategies to respond. The contribution of this research is to summarize and analyze the past literature based on information system internal control and targeted at e-commerce or community commerce or digitized transactions environment. Through the information security architecture and information risk assessment mechanism, the case study allows the company to carry out internal control of the information system accurately, and to evaluate the performance of the control mechanism and also verify the result in the audit. The research results can be used for academic research to strengthen research knowledge or for follow-up researchers or practical in risk management, internal control audit, or information security strategy planning under the Internet or digital transaction as the core environment enterprise.