This paper presents a modelling framework to support Internal Control. The proposed framework is intended to be used for the design and evaluation of internal controls by organisations and their auditors. One component of the framework is a modelling language and the other is a process to establish internal controls. The proposed modelling language is based on Secure Tropos modelling language. It extends Secure Tropos in several ways in order to conceptualize some aspects of internal controls in which organisational structure and relationships between major stakeholders are taken into account. In this paper we describe the proposed framework by presenting an internal control model and show how risks can be analysed in the models according to the proposed process.