This paper outlines research in progress for defining security, control and audit issues in Electronic Commerce (EC). The research involves focused interviews with expert developers, security consultants and both internal and external auditors. This work builds on previous research into Security and Audit of Electronic Data Interchange (EDI) and uses this as the basis for building a framework of risks, security and controls for auditing electronic commerce. The preliminary research results will be validated by a survey considering the importance of these aspects and the involvement of audit and security personnel in developing EC systems. The results should provide for a framework for managing EC security, control and the identification of EC future audit techniques. These results should then allow the development of audit techniques to assist in the management of EC, primarily decision aids, with the potential to look towards embedded audit technologies. The challenge for researchers is to feedback results of EC research, as described above, so that IS practitioners may take advantage of the findings to improve the security, control and auditability of future EC systems.