This study discussed two cases through personal interview and surveys to investigate the situation of internal control in information systems and security in the two companies. The results showed that the internal control in the Information Systems Department of this two companies need to be improved in many ways. The internal control policies can not be accomplished due to the following reasons: The impact of rapid changes in information technology; the high level manager’s cognition of the importance of information security; the changes of inspection procedures, and the lack of training programs for auditors. The results also indicated that, the internal control for information technology and systems security still need to be improved, the abilities to control, to manage, and to evaluate the information technology still can be enforced.