Next Article in Journal
The Development of a Statistical Model to Predict the Recovery of Cobalt, Nickel, and Manganese from Spent Lithium-Ion Batteries via Reverse Flotation
Previous Article in Journal
Climate-Generalizable Energy Prediction in PCM-Integrated Building Envelopes: A Physics-Informed Machine Learning Framework for Sustainable Envelope Design
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 18
Issue 7
10.3390/su18073610
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Reframing Climate Governance: How an Internal Audit Makes Smart-City Resilience Enforceable in an Egyptian State-Owned Enterprise

by
Loai Ali Zeenalabden Ali Alsaid
1,* and
Muhannad Abdulaziz Alyousef
2,*
1
Department of Accounting, Faculty of Commerce, Beni-Suef University, Beni-Suef P.O. Box 6251, Egypt
2
Department of Accounting, College of Business Administration, Majmaah University, Al-Majma’ah 11952, Saudi Arabia
*
Authors to whom correspondence should be addressed.
Sustainability 2026, 18(7), 3610; https://doi.org/10.3390/su18073610
Submission received: 21 February 2026 / Revised: 27 March 2026 / Accepted: 30 March 2026 / Published: 7 April 2026
Browse Figures
Versions Notes

Abstract

Smart-city programmes in emerging economies often produce climate-risk registers, dashboards, and narrative reports that do not lead to real changes in technical specifications or budget decisions. This study examines how the internal audit function can transform such symbolic compliance into enforceable climate-governance practices within Egypt’s state-led smart-city developments. This paper applies an interpretive single-case study design, drawing on interviews, documents, and field observations to analyse how climate-risk signals move from operational systems into governance, procurement, and reporting routines. A unified risk-and-control framework is introduced that integrates enterprise risk management, internal control over sustainability information, and the requirements of the international climate-disclosure standards. The findings show that an internal audit provides the enforcement mechanism that converts climate-scenario breaches into mandatory amendments to design clauses, acceptance tests, and operating and capital expenditure decisions across critical assets such as coastal protection, water systems, district cooling, mobility, and data-centre infrastructure. This study offers a practical governance architecture—such as threshold-to-specification tables, climate-weighted procurement gates, quarterly compliance certifications, and verifiable data-lineage controls—that enables public managers to embed accountable and transparent climate resilience within smart-city programmes. This research contributes to sustainability governance by demonstrating how an internal audit moves climate-risk management from narrative reporting toward enforceable, auditable action.

1. Introduction

Climate-risk governance in smart cities is a deeply interconnected system in which strategy, controls, assurance, and disclosure must operate in concert to transform hazard signals into enforceable decisions. Within this architecture, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework provides the strategic spine that translates climate scenarios and risk appetite into portfolio views and prioritised objectives. COSO’s Internal Control over Sustainability Reporting (ICSR) framework supplies the control mechanics—such as data lineage, control activities, and monitoring—that make these decisions auditable. The International Sustainability Standards Board (ISSB)’s International Financial Reporting Standard S2 (IFRS S2) defines the perimeter and quality attributes of decision-useful climate information, while an internal audit functions as the organisational integrator that tests whether scenario thresholds actually lead to changes in specifications, budgets, and operations-and-maintenance (O&M) routines [1,2]. This coupling is particularly salient in Egypt’s fourth generation smart-city drive, where acute hazards such as heat stress, coastal surge, and water scarcity intersect with centrally delivered urban programmes under the New Urban Communities Authority (NUCA) and a rapidly expanding digital layer—exemplified by New Alamein’s command operations control data centre (COCDC) and smart utility modernisation [3,4,5]. In such conditions, resilience is credible only when climate thresholds are traceably embedded into design clauses, procurement scoring, and maintenance release rules—and when reported metrics can be audited back to the operational change they justified.
Although existing research provides important conceptual foundations, it leaves critical practice gaps that justify an internal-audit-centred investigation. Smart-city scholarship has established that governance and institutional design, rather than technology alone, underpin “smartness”, yet most studies stabilise legitimacy through dashboards and process artefacts, offering little evidence that climate thresholds become binding on specifications and resource allocation [6,7,8]. The climate-risk and ERM literature documents the growing use of scenario analysis and portfolio views but repeatedly notes uneven operationalisation in public entities, with few demonstrations of enforceable escalation from hazard signal to procurement or O&M change—particularly in emerging economies [9,10]. Public-sector assurance guidance recognises the expanding role of an internal audit in environmental, social and governance (ESG) matters, while highlighting persistent maturity gaps: ERM artefacts and disclosures exist, yet control enforcement at the points of failure remains weak [11,12,13]. Against this backdrop, the present study addresses a distinctive gap by positioning an internal audit as the linchpin of climate governance and producing an audit-traceable account of how resilience moves from narrative compliance to enforceable governance in an Egyptian state-owned enterprise (SOE). The overarching research question guiding this inquiry is as follows: How can an internal audit make COSO ERM signals and IFRS S2 requirements enforceable at the level of technical specifications, budgets, and operational routines in a state-owned smart-city enterprise? This overarching question is explored through two interrelated questions: How does an internal audit convert COSO ERM climate thresholds into enforceable specification amendments and budget movement across climate-critical asset classes? How does an internal audit assure IFRS S2 climate disclosures by linking reported metrics and targets to operational change through COSO ICSR data lineage and control workflows? For clarity, the empirical case examined in this study is a single SOE (YSF) operating within New Alamein City, rather than the national smart-city programme itself; the organisation’s internal audit function constitutes the primary unit of analysis.
This study is theoretically anchored in Dillard et al.’s [14] multilevel institutional model, which explains how signification (meaning), legitimation (rules/values), and domination (power/resources) recursively shape organisational practice. This power-aware, processual lens is particularly suited to public smart-city contexts where formal rationalities of efficiency and delivery optics often crowd out substantive rationalities of continuity, equity, and long-term resilience [14,15]. It enables explanation of ceremonial decoupling—risk registers and heatmaps without binding thresholds—while specifying how artefacts and cadence (e.g., threshold tables, change-control logs, quarterly certifications) can realign authority across societal, field, and organisational levels [16,17]. Prior Egyptian applications of this model demonstrate the salience of political–economic structures for accounting change in SOEs and city authorities but have not addressed climate assurance; the present study extends this theoretical lineage into audit-enabled climate governance [18,19,20].
Methodologically, this study adopts an interpretive single-case design to examine how climate-risk governance and assurance are socially constructed within an Egyptian state-owned smart-city enterprise [21]. This approach enables deep contextual analysis of governance practices rather than surface-level compliance narratives. Data were triangulated from multiple sources, including interviews, documentary evidence, and observations, and analysed through iterative coding cycles supported by validation strategies such as triangulation and negative-case analysis to ensure interpretive rigour [22,23]. Egypt’s institutional setting—marked by high climate exposure, centralised NUCA governance, and ambitious smart-city initiatives under Vision 2030 and the updated Nationally Determined Contributions (NDC)—provides a distinctive test bed for operationalising COSO ERM, COSO ICSR, and IFRS S2 into auditable resilience rather than ceremonial compliance [3,24].
This study contributes to sustainability accounting, public-sector governance, and smart-city risk management by demonstrating, with audit-traceable evidence, how an internal audit converts scenario breaches into enforceable gates that amend specifications and move budgets across climate-critical assets. In contrast to prior work that documents ERM adoption, disclosure practices, or dashboard-led governance at a conceptual level [6,8,9,10], the case shows how ICSR-grade controls—threshold-to-spec workflows, scored climate gates in procurement, reconciled data dictionaries, and quarterly comply-or-explain certifications—extend COSO ERM from portfolio language to enforceable governance [1,2]. It also contributes to the smart-grid and digital-operations literature by demonstrating how dashboards and alerts become design inputs when thresholds are routinised into procurement and O&M workflows. This routinisation reweights capital expenditure (CAPEX) and operating expenditure (OPEX), addressing a gap often noted in practice [3,25]. Finally, the analysis integrates social equity into assurance by linking continuity floors for water and cooling to audit-tested workflows, addressing findings that dynamic tariffs and heat stress can disproportionately burden low-income households without enablement safeguards [26,27,28]. Together, these contributions extend Dillard et al. [14]’s work through institutional layering and temporal structuring, showing how calculative artefacts and quarterly cadence redistribute authority and constrain discretionary deferral in public infrastructures.
This study demonstrates—using audit-traceable evidence in a NUCA-governed state-led smart-city context—that internal audit capability, when coupled to COSO ERM/ICSR artefacts and aligned with IFRS S2, systematically converts breached climate thresholds into enforceable, auditable changes in design, procurement, and O&M (amended specifications and acceptance tests, CAPEX/OPEX reweighting, and reconciled disclosure entries). The scientific novelty lies in reframing an internal audit from an ex-post compliance check to the enforcement mechanism that makes climate thresholds governable ex-ante and in specifying a replicable architecture—threshold-to-specification tables, change-control tickets with owners and spend ranges, audit sampling/verification, and committee dockets—that public managers can deploy to move from narrative compliance to enforceable climate governance.
Although this study specifies and evidences audit-enabled enforceability in a state-led smart-city context, the operation and strength of the mechanism may vary across legal cultures, public-sector structures, and levels of democratic institutional development. The claims advanced are therefore framed as analytic generalisation to settings sharing core enabling features—active use of COSO ERM/ICSR artefacts, an independent internal audit function with board/audit-committee reporting, procurement and engineering processes that can amend specifications and acceptance tests, and IFRS S2-aligned disclosure processes. Potential moderators—such as administrative-law traditions, civil-service rules, provider autonomy, and committee transparency—are recognised as factors that can amplify or dampen the conversion of thresholds into binding specification and budget decisions.
This paper proceeds as follows. Section 2 synthesises the literatures on climate risk and COSO ERM, internal audit and climate assurance, and smart-city governance and introduces the audit-enabled climate governance for smart cities (AECGSC) conceptual framework. Section 3 elaborates the theoretical model [14] and its application. Section 4 situates the analysis within the Egyptian context—hazards, governance arrangements, and smart-city initiatives. Section 5 details the research methodology and methods. Section 6 presents the empirical findings across institutional levels and asset domains. Section 7 offers a critical discussion that connects findings to theory and practice. Section 8 concludes with implications, contributions, limitations, and directions for future research.

2. Literature Review

2.1. Climate Change and Enterprise Risk Management

Climate change has evolved into a systemic and cascading risk that threatens strategic objectives, capital investments, and operational continuity across sectors. The Intergovernmental Panel on Climate Change [4] emphasises that climate hazards—such as extreme heat, flooding, and sea-level rise—are intensifying and interacting with socio-economic systems, creating compound risks that demand enterprise-level governance. Similarly, the World Economic Forum [29] ranks extreme weather events, biodiversity loss, and resource scarcity among the most severe global threats over the next decade, reinforcing the urgency for organisations to embed climate considerations into strategic risk frameworks.
From a financial stability perspective, Carney’s [30] “Tragedy of the Horizon” conceptualises climate risk through three channels: physical risks (acute floods, chronic heat stress, and sea-level rise), transition risks (policy shifts, technological disruption, and market realignment), and liability risks (litigation and reputational exposure). Transition risks are particularly salient for smart cities, where sudden regulatory mandates for renewable energy adoption, carbon pricing, or building efficiency standards can disrupt procurement strategies, increase compliance costs, and render existing infrastructure economically obsolete [9]. For example, rapid implementation of electric mobility policies or green building codes can force SOEs to accelerate capital upgrades, renegotiate supply contracts, and absorb stranded asset losses, creating financial and operational volatility. Liability risks are equally significant: failure to implement adequate coastal defences, misrepresentation of climate resilience in public disclosures, or negligence in adapting critical infrastructure can lead to lawsuits, regulatory penalties, and reputational damage [10].
ERM frameworks, particularly COSO’s ERM model, have emerged as a cornerstone for addressing these complex, interconnected risks. The COSO and World Business Council for Sustainable Development (WBCSD) guidance [31] extends ERM to ESG-related risks, urging organisations to consider interconnectivity, velocity, and adaptability when assessing climate exposures. This guidance links governance, strategy, performance, and reporting to climate risk treatment, moving beyond traditional likelihood-impact matrices toward portfolio-based risk views. When aligned with the ISSB’s IFRS S2 standard—which consolidates Task Force on Climate-related Financial Disclosures (TCFD) principles into mandatory disclosure requirements—ERM provides a structured pathway for generating decision-useful climate information [2,31]. However, recent studies reveal persistent gaps in operationalising these frameworks, particularly in emerging economies and public-sector entities, where climate risk integration remains fragmented and lacks robust assurance mechanisms [10,32].
These shortcomings are especially critical for smart cities, where climate risks intersect with technological and infrastructural complexity. Heatwaves, for instance, have profound implications for urban resilience: they increase energy demand for cooling systems, strain electricity grids, accelerate pavement and building material degradation, and exacerbate health risks for vulnerable populations [3,4]. In smart cities, heatwaves also challenge the performance of smart grids. While smart grids are designed to optimise energy distribution through real-time monitoring and demand-response systems, extreme heat can cause peak load surges that exceed design thresholds, forcing utilities to implement rolling blackouts or emergency load-shedding. Moreover, IoT sensors and automated controls may malfunction under prolonged high temperatures, reducing the effectiveness of predictive maintenance and energy optimisation algorithms [33]. These cascading effects illustrate why climate risk management in smart cities cannot be limited to physical adaptation but must integrate technology resilience and governance.
Similarly, coastal smart cities face acute physical risks such as storm surges and pluvial flooding that damage promenades, power substations, and stormwater systems. Chronic risks include prolonged heat stress and water scarcity, while liability risks loom large as inadequate adaptation measures or inaccurate climate disclosures may trigger litigation and erode public trust [24]. Despite these tangible exposures, conventional project appraisal methods often fail to internalise cascading climate risks, leaving SOEs vulnerable to operational and reputational shocks. An enterprise lens is therefore essential—one that embeds climate scenarios into investment planning, procurement, and maintenance decisions and translates them into auditable, data-supported controls aligned with COSO ERM and ISSB S2 standards. This study addresses this gap by examining how ERM frameworks can be operationalised to manage climate risks within an Egyptian SOE engaged in smart-city development, contributing to the literature on climate governance in emerging economies.

2.2. Internal Audit and Climate-Risk Oversight

The internal audit has evolved from a compliance-oriented function into a strategic governance mechanism that provides independent assurance over climate-related risk management and internal controls. Throughout this paper, internal audit refers to the independent, organisation-level assurance and advisory function embedded within the SOE that delivers smart-city programmes, rather than a municipal-level supervisory or external audit body. In this context, an internal audit operates under an approved charter and reporting line to the audit committee or board, applies a risk-based plan, and provides assurance over climate-related governance, risk and control by testing the integration of COSO ERM signals (risk appetite, scenarios, portfolio views), the COSO ICSR control environment for sustainability information (data lineage, control activities, monitoring), and the enforceability of thresholds at the points of design, procurement and O&M. The unit of analysis is the internal audit function of the SOE operating within the city-programme setting. Its scope includes examining COCDC- and Supervisory Control and Data Acquisition (SCADA)-linked escalations, tracking specification changes and budget movements, and assessing disclosure controls aligned with IFRS S2.
Contemporary guidance emphasises that internal auditors should assess the robustness of climate risk processes, the reliability of sustainability data, and the effectiveness of controls underpinning scenario analysis and transition plans; in parallel, audit committees expect advice on climate-related risk appetite and governance gaps across the Three Lines model, especially where climate risks threaten service continuity and fiscal exposure in public programmes [12,34]. Recent commentaries and surveys underscore that an internal audit’s role in ESG assurance is expanding, but practice maturity is uneven—many entities still treat climate as a disclosure exercise rather than an auditable governance priority, leaving gaps in control design and accountability that regulators and stakeholders increasingly scrutinise [11,12].
A pivotal enabler of credible climate assurance is COSO’s ICSR, which tailors COSO’s five components and 17 principles to sustainability contexts. COSO ERM [35] provides a strategic architecture—risk appetite, portfolio views, and integration with performance—whereas COSO ICSR focuses on the internal control environment for sustainability information: governance tone and competence, control activities for data lineage and estimation, and information-quality attributes (relevance, completeness, accuracy, consistency, timeliness) monitored through remediation cycles. These design requirements allow an internal audit to test control effectiveness over climate data pipelines—scenario inputs, hazard metrics, adaptation outcomes, and emissions inventories—and to judge whether disclosures meet ISSB IFRS S2 expectations for governance, strategy, risk-management processes, and metrics/targets [1,2]. The distinction matters: absent ICSR-grade controls and ERM climate registers risk reverting to narrative claims disconnected from verifiable evidence, exposing public bodies to reputational and regulatory risk—an exposure already flagged in public-sector resilience reviews [34].
Despite the availability of frameworks, implementation gaps persist in SOEs and municipal agencies. External public auditors, known as Supreme Audit Institutions (SAIs), have advanced performance and adaptation audits, but documented internal audit methodologies that evaluate climate risk end-to-end—from identification and scenario design to control testing of sustainability data and governance of adaptation programmes—are scarce. Recent guidance from the International Organization of Supreme Audit Institutions (INTOSAI) Working Group on Environmental Auditing (WGEA) urges stronger criteria and question banks for climate adaptation, sustainability reporting, and environmental accounting, yet adoption within internal audit units remains uneven in emerging-economy contexts and smart-city programmes [13]. The consequence is practical: weak controls over climate data and adaptation governance invite greenwashing charges, misallocation of capital, and systemic governance failures when extreme events stress infrastructure portfolios [12,13].
Smart cities add technological complexity to climate oversight because digital infrastructure underpins critical services. Smart grids manage peak loads during heatwaves by combining real-time monitoring with demand-response and distributed energy resources. When outdoor temperatures surge, system operators issue event signals that dynamically adjust consumption—via automated thermostat set-backs, delaying appliance cycles, or dispatching behind-the-meter batteries—to curb demand spikes and maintain frequency without resorting to extensive outages. The U.S. Department of Energy’s (DOE) 2024 Smart Grid System Report documents the growing role of distributed energy resources and demand flexibility, while technical briefings highlight heating, ventilation and air conditioning (HVAC) demand-response and managed charging programmes as near-term reliability resources; nevertheless, inconsistent programme design and under-performing assets can jeopardise reliability, underscoring the need for audit scrutiny of technology resilience and programme governance [25,36]. An internal audit should therefore evaluate whether peak-load management strategies incorporate contingency planning for sensor degradation at high temperatures, data integrity in telemetered signals, and escalation protocols when demand surges exceed design thresholds—risks observed in practice and flagged by market operators and policy briefs [37,38].
The demand-response mechanisms that stabilise grids during heat events rely heavily on dynamic pricing, which raises equity and consumer-protection issues that audits and governance must confront. Dynamic tariffs increase prices during peak windows and lower them off-peak, nudging households to shift or curtail usage; experimental and empirical studies show heterogeneous responses across income groups and appliance ownership, with automation enhancing elasticity but not uniformly accessible to all consumers [26]. Low-income households frequently lack smart appliances, storage, or flexible schedules, limiting their capacity to respond; as a result, they may face higher bills during sustained heatwaves or health risks if cooling is reduced—patterns highlighted in behavioural and equity-focused demand-response research [27,28]. Internal audit should examine whether programme design embeds equity safeguards—plain-language disclosures of rate risks, opt-out mechanisms for medically vulnerable consumers, and grievance procedures—while verifying data governance so that participation and bill-impact analytics accurately reflect distributional outcomes [25,38].
Policy design can reduce pricing inequity without undermining grid reliability. Regulators can introduce tiered or inclining block rates that cap peak charges for vulnerable customers, offer targeted subsidies or rebates for essential cooling during certified heat emergencies, and fund enablement technologies—smart thermostats, efficient HVAC, or battery vouchers—to expand elastic response among low-income households. Evidence from market assessments indicates that without incentives or enabling technologies, bill savings under dynamic tariffs may be too modest to drive widespread adoption, even as system-level benefits (peak reduction, ramping) are significant; hence, consumer-side support is integral to fair, scalable participation [25,39]. An internal audit should test whether these equity-focused policies are implemented effectively, whether eligibility and targeting controls prevent leakage, and whether monitoring reports disaggregate impacts by income, age, health status, and appliance access—closing the loop between climate resilience objectives and distributional fairness in smart-city energy programmes [12,13].
Finally, assurance over climate-related reporting must meet rising global expectations. ISSB IFRS S2 requires decision-useful disclosure of governance, strategy, risk management, and performance metrics related to physical and transition risks. Embedding COSO ERM’s portfolio view with ICSR’s control rigour, and testing the end-to-end reliability of climate data systems, positions an internal audit to provide credible assurance that climate risk is not only assessed but audited against investor-grade standards—an essential condition for SOEs delivering smart-city services under increasing climate stress [1,2].
Figure 1 presents the unified COSO view, showing how COSO ERM and COSO ICSR jointly anchor decision-useful climate disclosure under IFRS S2.
In this paper, internal audit capability is the independent governance mechanism of interest: the SOE’s independent internal audit function that provides risk-based assurance and advisory services over climate-related governance, risk and control (charter, access, plan, testing, reporting). The dependent outcome is enforceable climate-risk governance, defined as the conversion of scenario thresholds into binding, auditable choices—evidenced by threshold-to-specification tables, ICSR change-control tickets with accountable owners and cost ranges, amended procurement specifications and acceptance-test criteria, CAPEX/OPEX reweighting and O&M release, and reconciliation to IFRS S2 climate-disclosure requirements. COSO ERM (risk appetite, scenarios, portfolio views) and COSO ICSR (control environment, data lineage, monitoring) form the architecture through which an internal audit exercises assurance and escalation.

2.3. Smart-City Governance and Risk Management

The contemporary smart-city literature has decisively shifted from technology determinism toward institutional design and governance, arguing that data infrastructures only create public value when paired with collaborative, transparent, and participatory arrangements that distribute roles and accountability across actors. Foundational work frames smart cities as the interplay of technology, people, and institutions, emphasising governance for institutional improvement and citizen engagement [6]. Systematic reviews further stress that “smartness” is ultimately a matter of smart collaboration and legitimacy—crafting new forms of human coordination with ICTs to achieve better outcomes and more open processes—rather than a purely technical exercise [8]. In parallel, early research on the “science of smart cities” explicitly called out risk, uncertainty, and hazards as core agenda items, anticipating the need for governance that accounts for system interdependencies across transport, energy, water, and communications [7]. Together, this body of work implies that risk profiles will vary across subsystems—emergency alerting, smart metering, and mobility platforms—so governance must adopt portfolio and systems perspectives to manage cross-asset externalities and failure cascades [6,7,8].
Integrating climate risk into smart-city governance raises the stakes of that portfolio logic. For Egypt, material hazards include coastal surge, shoreline erosion, heat stress, and water scarcity, all of which affect urban services and long-lived assets (e.g., promenades, substations, desalination, district cooling). These hazards demand that city authorities not only map exposures and interdependencies but also embed scenario analysis and risk appetite into strategic planning, procurement, and O&M regimes [3]. At the disclosure interface, ISSB IFRS S2 codifies expectations for governance, strategy, risk management processes, and metrics/targets on both physical and transition risks, supplying a common target state for “decision-useful” climate information in public entities and SOEs. In turn, COSO–WBCSD [31] extends ERM to ESG and climate, urging entities to assess interconnectivity, velocity, vulnerability, and adaptability and to maintain portfolio views of hazard clusters—capabilities that are indispensable in smart-city contexts where a single heatwave or flood can stress multiple domains simultaneously [2,3,31].
Within this architecture, ERM provides the operating spine that links climate-informed risk identification to strategy, performance, and capital allocation in smart-city programmes. ERM clarifies risk appetite for climate relevant outcomes (e.g., service continuity thresholds during heat events), supports portfolio-level prioritisation across heterogeneous assets (water, energy, mobility, data centres), and establishes performance and revision cycles to monitor control effectiveness and resilience gains. The ERM–ESG guidance’s emphasis on information, communication, and reporting connects decision dashboards to disclosure regimes, while IFRS S2 sets the minimum content and structure for investor-grade reports. For smart-city authorities and SOEs, this means climate risk registers and scenarios must be traceably linked to procurement specs, maintenance standards, redundancy strategies, and programme level business cases—with board-level oversight of risk trade-offs and residual exposures [2,31].
Egypt’s fourth-generation smart-city drive situates these governance choices in a concrete institutional context. Vision 2030 articulates sustainability and digital transformation goals and has been followed by announcements of a National Smart Cities Strategy to modernise existing and new urban areas [5,40]. New Alamein City illustrates the digital layer now being deployed: the COCDC is being delivered as the city’s primary data hub to centralise real-time operations and decision-making, with completion targeted within a year [41]. In utilities, authorities have moved to smart and prepaid water metering and are pursuing localisation of meter manufacturing and smart utility management—steps that expand the cyber physical footprint and the volume of decision-critical data [42,43]. Yet institutional realities persist: NUCA—an economic authority established by Law 59/1979—centralises planning and delivery for new cities, operating outside routine municipal administration. Independent assessments of NUCs report occupancy gaps, data inconsistencies, and governance frictions that complicate claims of economic performance and resilience, reinforcing the need for formal ERM and audit-ready governance [5,43,44].
A climate-integrated ERM for smart-city governance in this context should therefore link hazard scenarios (heat, flood, water stress) to specific asset classes and service key performance indicators (KPIs); define risk appetite and tolerance thresholds for continuity and safety; design mitigation and adaptation controls across procurement, engineering standards, redundancy, and emergency operations; and establish information/reporting pipelines that reconcile operational data with IFRS S2 disclosures. Practically, that means dashboards from the COCDC must feed ERM registers, and programme reviews should evidence how scenario results have altered design specs or OPEX/CAPEX phasing. The COSO–WBCSD guidance supplies the process mechanics for governance, performance, and review/revision, while IFRS S2 anchors the reporting perimeter and metric structure. For Egypt’s SOE-led smart-city model, this coupling of ERM and disclosure is decisive for converting strategic intent into auditable climate resilience and for maintaining public trust in high-visibility, capital-intensive urban programmes [2,3,31].
A critical synthesis of the above strands surfaces several unaddressed needs that this study targets:
  • Internal audit practice in SOEs on climate risk remains under-evidenced. Guidance exists, e.g., [1,11,12], but published case work demonstrating audit universes, criteria, testing procedures, and reporting on climate risk inside SOEs and city authorities—particularly in emerging economies—is sparse.
  • Coupling of ERM with auditability in smart-city climate programmes is weak. Governance papers stress collaboration and transparency, yet few studies show how ERM-identified climate risks translate into auditable control systems and performance verification for coastal defences, water security, heat mitigation, or energy transition investments.
  • Public sector readiness for evolving disclosure regimes is unclear. With TCFD’s remit transferred to ISSB, many entities face new demands for investor-grade climate information. Evidence on how ERM, ICSR, and internal audits jointly produce reliable, decision-useful climate disclosures in SOEs is limited.
  • Egypt specific institutional conditions heighten the need for assurance. NUCA’s centralised governance of city assets, coupled with the National Climate Change Strategy (NCCS) 2050 and updated NDC ambitions, creates material climate exposure and reputational stakes that require robust, documented assurance approaches.
In response, this study offers an empirical examination of climate risk auditability within an Egyptian SOE engaged in smart-city delivery, shows how COSO ERM (with the 2018 ESG extension) and COSO ICSR can be operationalised under ISSB S2 expectations, and proposes a risk-based audit architecture aligned to hazard portfolios and programme outcomes. The contribution is not merely theoretical; it provides practicable mechanisms—data governance, control testing, audit scoping—that enable urban SOEs to turn climate strategy into accountable, auditable performance.

2.4. Conceptual Framework

The AECGSC framework integrates climate risk portfolios, the COSO ERM framework including its 2018 ESG extension, COSO ICSR, and internal audits into a single operating model designed for smart-city governance within an SOE context, as shown in Figure 2. On the input side, climate risks are categorised as physical, transition, and liability risks and are explicitly mapped to smart-city asset classes such as coastal works, water and desalination, energy and district cooling, mobility, data centres, and housing. COSO ERM provides the strategic “spine” by linking risk appetite, scenarios, and portfolio views to objectives and performance, while COSO ICSR provides the control “nervous system” that ensures the data, estimation methods, boundary definitions, and monitoring necessary for investor-grade climate information and meaningful assurance. An internal audit then delivers independent and systematic testing of design and operating effectiveness across these elements, verifying that ERM risk signals influence plans, budgets, and performance and that sustainability information is reliable, comparable, and free of material misstatement.
We distil the AECGSC logic into a mind map linking hazards, COSO frameworks, and internal audits to enforceable procurement, acceptance-test, and O&M decisions.
At the mechanism layer, the framework establishes a risk-based audit universe aligned to climate hazards, focusing audit effort on climate-critical programmes such as coastal defences, storm water systems, water loss reduction, district cooling, smart metering, and green mobility, as well as on the cross-cutting controls that govern climate data and disclosures, including data lineage, measurement consistency, consolidation, and oversight. The Network for Greening the Financial System, NGFS-style scenarios and national climate strategies supply the macro context for ERM assessments, and an internal audit leverages them to prioritise audits and to probe whether management has translated these scenarios into credible mitigations and contingencies. The result is a governance cycle in which climate risk is traceably embedded in decisions, resilience KPIs are measured and assured, and climate disclosures aligned to ISSB S2 are both decision-useful and defensible—conditions necessary to avoid greenwashing risk and to earn public trust in contested, capital-intensive smart-city programmes.
The framework closes the persistent gap between climate strategy and auditable reality. COSO ERM ensures that climate hazards are explicitly tied to objectives and resource allocation; COSO ICSR operationalises assurance by defining what “good” control over climate data and reporting looks like; and an internal audit provides the independent, systematic testing necessary to validate management assertions and to surface remedial actions. In Egypt’s SOE-led smart-city model, where NUCA city agencies operate outside regular local administration, this integrated, audit-ready approach is indispensable for credible climate governance and for converting national strategies such as NCCS 2050 and the updated NDC into resilient urban outcomes that can withstand public, investor, and supervisory scrutiny.
Technology-centred and market-centred mechanisms offer complementary, but partial, pathways for strengthening climate-risk governance. AI-enabled monitoring and forecasting systems enhance detection, situational awareness, and operational latency, yet advanced analytics alone do not translate hazard alerts into binding amendments to specifications, acceptance tests, or O&M release rules without codified thresholds and decision rights [6,7,8,25]. Market-based instruments, including insurance and risk-transfer arrangements, can price exposure and create financial incentives for risk reduction, but these signals typically operate at portfolio level and remain ex-post, without directly triggering clause changes or work-order mobilisation [6,7,8]. The AECGSC model addresses this conversion gap by coupling COSO ERM/ICSR artefacts to an independent internal audit function, enabling threshold-to-specification workflows, CAPEX/OPEX reweighting, and IFRS S2-aligned reconciliation. In practice, these approaches function as complements [1,2]: AI improves the quality and timeliness of climate signals, insurance shapes financial incentives, and audit-enabled governance provides the enforceability spine that makes scenario gates operationally binding in state-led smart-city settings.

3. Theoretical Model

This study adopts the institutional model developed by Dillard et al. [14] because it offers a level-sensitive, power-aware, and process-oriented explanation of how accounting, audit, and governance practices are made and remade across social contexts. Unlike “new institutionalism” applications that largely infer conformity from coercive, mimetic, and normative pressures [45], or pillar-based taxonomies that remain conceptually static [16], Dillard et al. [14] theorise institutionalisation as a recursive and political process that unfolds across three linked analytical levels. Their framework integrates Weberian rationalities and power [46,47] with Giddens’s structuration theory [15], demonstrating how signification or meaning, legitimation or rules and values, and domination or power and resources interact to produce—and at times decouple—organisational practices. This analytical lens is essential in a public, smart-city context where the legitimacy of climate-risk audit depends not only on technical adequacy but also on the alignment of state priorities, professional standards, and internal routines.
The distinctiveness of the Dillard et al. [14] model lies in its explicit theorisation of formal versus substantive rationalities. Calculative efficiency and investor-style materiality often dominate public administration, yet climate-risk governance in smart cities also invokes values of equity, service continuity, and intergenerational resilience [14,46]. By treating rationalities as components of legitimation structures and linking them to domination structures such as resource control, the model helps explain why climate-risk audit initiatives may be resourced or starved, integrated or purely ceremonial. In other words, auditability gaps are not merely managerial failures; they are frequently the institutional consequences of cross-level contradictions in meaning, legitimacy, and power [14,15].
In applying this model to climate-risk audits in an Egyptian SOE charged with smart-city delivery, the analysis deliberately traces how macro political–economic logics, field-level codifications, and organisational routines co-produce the conditions under which climate risk practices are adopted, embedded, or decoupled. This approach positions this study to contribute theoretically: it interprets a climate-risk audit not as a compliance exercise but as a contested institutional terrain where practices are continually enacted, stabilised, and potentially undone. Such a contribution goes beyond “pressure” accounts that imply linear diffusion from global standards to local practice [45] and also transcends micro routine perspectives that under specify macro constraints [17].
  • Societal (political–economic) level: At the macro level, norms, laws, and budgeting authority shape what counts as legitimate climate governance and determine which images of performance predominate, such as fiscal prudence versus resilience value. At this level, signification structures frame climate risk—for example, as a risk to public welfare versus a source of financial exposure—while legitimation structures prioritise values such as efficiency versus equity, and domination structures allocate resources across ministries, authorities, and oversight bodies. In Dillard et al. [14]’s terms, societal structures enable and constrain both the organisational field and the organisation itself, frequently privileging formal rationality, or efficiency calculus, in ways that can overshadow substantive public-value aims [14,46,47]. This level helps explain why public-sector SOEs may adopt disclosure formats yet fail to reorient CAPEX toward redundancies or equity-focused safeguards: macro-level criteria and resource logics have not shifted sufficiently to legitimate or fund such changes [14,15].
  • Organisational-field level: Field actors—including regulators, professional bodies, standards setters, and industry associations—translate societal logics into field-level criteria and expected practices, such as climate-disclosure content, ERM portfolio perspectives, and control attributes for sustainability data. Coercive, mimetic, and normative forces operate at this level, but Dillard et al. [14] emphasise that diffusion is inherently political: coalitions define what counts as “better practices”, and these definitions matter because they shape access to resources and allocate reputational rewards [14,45]. The field thus becomes the arena in which calculative standards associated with formal rationality are reconciled—or collide—with resilience and equity ambitions associated with substantive rationality. It is also where symbolic representations, or signification structures, normalise climate assurance as either operationally meaningful or largely ceremonial [14,16].
  • Organisational level: Within the SOE, actors respond as innovators or late adopters, generating routines that may be tightly coupled to operations—such as resilience-linked investment gates or ICSR-grade data-lineage controls—or decoupled to secure external legitimacy [14]. Structuration theory foregrounds agency: knowledgeable actors can invert the cascade, allowing organisational innovations to diffuse upward into field-level criteria and even reshape macro priorities, particularly under crisis conditions [15]. Conversely, routinised ceremonialism persists when societal and field-level criteria reward appearances while leaving underlying resource allocations unchanged. Dillard et al. [14]’s emphasis on domination structures directs the audit lens toward testing whether practices carry real resource backing and decision rights—an essential diagnostic for distinguishing substantive embedding from symbolic veneers [14].
This multilevel analysis is not a descriptive convenience; it is the mechanism through which the study’s conceptual framework—AECGSC—is theorised and strengthened. AECGSC specifies operational mechanics (risk appetite and portfolio views from ERM; control attributes from ICSR; assurance scopes from internal audit), but the Dillard et al. [14] model explains when and why those mechanics become institutionalised. For example, if societal legitimation continues to measure success by near-term cost-efficiency rather than service continuity and distributional fairness, field criteria will privilege calculative disclosures over resilience investments, and organisational routines will drift toward decoupling [14,46]. Alternatively, a crisis that re-signifies climate risk as a duty of care can re-authorise resource shifts, allowing organisational innovations to ascend and reconfigure field expectations [14,15].
Critically, adopting Dillard et al. [14]’s model differentiates this study from prevailing institutional treatments in climate-risk audit and smart-city governance. The classic “iron cage” lens is powerful in identifying pressures and decoupling [45], but it under-theorises how change occurs and whose power shapes standards. Scott’s [16] pillars sensitise us to regulative, normative, and cultural cognitive supports [16], yet they lack a dynamic engine for institutionalisation and deinstitutionalisation. Burns and Scapens [17] illuminate micro-level rules and routines but treat macro constraints as largely exogenous and under-specified. In contrast, Dillard et al. [14] integrate these insights into a power-aware process theory that traces the recursive cascade of structures across levels, specifies the key axes of tension—representation, rationality, and power—and embeds agency within the duality of structure. This integrated theorisation is precisely what a state-owned, smart-city context requires: it shows how climate audit practices can be made and remade through struggles over meaning and authority and how substantive resilience aims can be institutionalised only when they are legitimated and resourced across levels [14,15,46,47].
In sum, the value of using Dillard et al. [14]’s multilevel institutional model is both theoretical and interpretative. It equips this study to diagnose auditability gaps as institutional misalignments rather than mere technical deficiencies to theorise change pathways that link organisational innovations to field codification and societal re-prioritisation and to justify audit designs that test for cross-level congruence (signification, legitimation, domination) rather than only for compliance with codified procedures. By foregrounding power and rationality alongside standards and routines, the model clarifies the conditions under which a climate-risk audit in an Egyptian SOE will move from symbolic disclosure to embedded governance, thereby strengthening this study’s interpretive contribution to the literature on climate governance and public sector assurance reviewed in Section 2.
The Dillard et al. [14] multilevel institutional model has been previously applied in Egyptian case studies to examine accounting change under conditions of political and institutional complexity. In the context of structural reforms, Alawattage and Alsaid [18] combined the model with historical institutionalism to trace how accounting mediated ideological shifts across colonial, nationalist, and neoliberal regimes, emphasising top-down imposition and the persistence of domination structures. In smart-city governance, Alsaid [19] used the model to analyse the institutionalisation of performance measurement systems within a militarised city council, highlighting how macro political pressures for public–private collaboration cascaded into field-level governance structures and micro-level metrics that shaped political decisions. A subsequent study by Alsaid [20] applied the model to examine the implementation of enterprise resource planning and ERP-enabled management accounting systems in an SOE, interpreting how sustainability pressures arising from smart-city projects generated complex, multilevel accounting practices across political, field, and organisational domains.
The current study differs from these applications in several critical respects. While earlier research focused on performance measurement, ERP systems, and structural reforms, this study centres on the auditability of climate risk—a domain that connects hazard scenarios and continuity thresholds to assurance requirements under global standards such as IFRS S2 and COSO ICSR. Unlike prior work, which primarily examined management accounting as a governance or control technology, this study positions the internal audit as a strategic actor whose mandate and resourcing are institutionally constituted, using the model to assess whether an audit can close cross-level gaps rather than merely attest to compliance. Furthermore, the analysis introduces crisis-driven recursion as a theoretical mechanism, explaining how organisational innovations—such as resilience-linked investment gates and audit test plans—can diffuse upward to reshape field criteria and influence macro-level resource allocations. By embedding these dynamics within the AECGSC framework, this study advances the interpretive scope of the model from explaining accounting change to theorising the conditions under which climate risk assurance moves from symbolic disclosure to substantive governance.

4. The Egyptian Context

Egypt’s climate vulnerability and rapid urbanisation create a distinctive governance environment for SOEs delivering smart-city services. The country faces acute and chronic hazards—coastal surge, shoreline erosion, heat stress, and water scarcity—that intersect with ambitious infrastructure agendas. The World Bank [3] identifies Egypt’s Mediterranean coastline as highly exposed to sea-level rise and storm surges, while inland regions experience intensifying heatwaves and hydrological stress. These hazards pose systemic risks to urban services and long-lived assets, making climate resilience a strategic imperative rather than a peripheral concern.
National policy frameworks have acknowledged this urgency. Egypt Vision 2030 embeds sustainability and digital transformation as core priorities, complemented by NCCS 2050 and the updated NDC, which commit to adaptation and mitigation across sectors [5,24]. Building on these commitments, the government launched a National Smart Cities Strategy to modernise urban governance and infrastructure, positioning smart technologies as enablers of efficiency, resilience, and citizen engagement [40]. Within this architecture, NUCA—an economic authority established under Law 59/1979—centralises planning and delivery for new cities, operating outside conventional municipal structures. NUCA’s mandate concentrates decision rights and resource allocation but also amplifies accountability challenges, as governance and assurance mechanisms must operate across complex, capital-intensive programmes with high visibility and political stakes [44].
In this study, the internal audit function refers specifically to the SOE’s independent internal audit unit that reports to its audit committee within the NUCA-governed delivery model. It does not refer to a municipal SAI or an external oversight body. This distinction is important because the analysis evaluates how the SOE’s internal audit converts scenario thresholds into enforceable specification and budget changes and how it assures IFRS S2-aligned climate-disclosure controls within the smart-city programme.
New Alamein City illustrates Egypt’s fourth-generation smart-city model. The city integrates advanced digital infrastructure, including the COCDC designed to centralise real-time operations and decision-making [41]. Utility modernisation initiatives—such as smart and prepaid water metering and localisation of meter manufacturing—expand the cyber–physical footprint and increase reliance on data-driven governance [42,43]. These developments promise operational efficiency but also introduce new risk vectors: technology failures during extreme heat, data integrity breaches, and cascading disruptions across energy, water, and mobility systems. Independent assessments of NUCA cities highlight occupancy gaps and governance frictions, underscoring the institutional complexity of translating strategic intent into resilient outcomes [44].
For clarity, the empirical case examined in this study is not the Egyptian national smart-city programme itself, but rather a single SOE (YSF) operating within New Alamein City under the governance of the New Urban Communities Authority. YSF is responsible for managing operational, technical, and governance processes across key urban-infrastructure domains, and it is the organisation whose internal audit function, risk-management routines, and climate-governance practices form the empirical basis of this case study. National strategies and NUCA-level policies therefore provide contextual framing, whereas YSF constitutes the actual unit of analysis.
For SOEs like YSF, affiliated with Al-Alamein City Council, this context imposes dual pressures. On one hand, they must align with national strategies and global disclosure regimes such as ISSB’s IFRS S2, which demand decision-useful climate information on governance, strategy, risk management, and performance metrics [2]. On the other hand, they operate within resource-constrained environments where formal rationalities—cost-efficiency and rapid delivery—often overshadow substantive resilience objectives. This tension heightens the need for robust ERM systems that integrate climate scenarios into investment planning, procurement, and operations and for internal audit functions capable of providing credible assurance over climate-related controls and disclosures [1,31].
Compared to other international contexts, Egypt’s governance model presents unique challenges and opportunities. Singapore’s Smart Nation initiative benefits from decades of investment in water security and distributed cooling systems under a consolidated national water agency, enabling proactive climate adaptation [48]. Similarly, Masdar City in the United Arab Emirates leverages abundant capital and a compact innovation ecosystem to pilot net-zero technologies, including passive design and district cooling [49]. In contrast, Egypt must embed resilience across large-scale, mixed-use developments under fiscal constraints and centralised authority-led governance. A third example, Barcelona’s smart-city programme, illustrates a European model where climate adaptation is embedded in multilevel governance frameworks supported by the EU Adaptation Strategy, emphasising participatory planning and decentralised accountability [50]. These contrasts underscore why Egypt—and specifically YSF’s operational remit in Al-Alamein—offers a distinctive test bed for examining how climate-integrated ERM and audit-enabled governance can be institutionalised in emerging-economy smart cities.
In practice, as analysed in Section 6, YSF’s operational mandate places it at the intersection of asset management and data governance, where climate risk must be embedded into procurement specifications, maintenance standards, and emergency protocols. The empirical findings demonstrate how YSF translates hazard scenarios—such as heatwaves and coastal flooding—into risk appetite statements and continuity thresholds and how these are linked to CAPEX/OPEX phasing and reporting pipelines. This operationalisation of the AECGSC framework illustrates the mechanisms through which climate strategy becomes auditable reality in an emerging economy context.
Ultimately, the Egyptian context is characterised by high climate exposure, ambitious smart-city ambitions, and centralised governance structures that concentrate both opportunity and risk. For SOEs operating in this environment, climate-integrated ERM and audit-ready governance are not optional—they are foundational to sustaining service continuity, meeting global reporting standards, and legitimising Egypt’s smart-city vision under conditions of accelerating climate stress.

5. Research Methodology

This study adopts an interpretive single-case design in which the unit of analysis is the internal audit function within YSF, an SOE operating under the governance of New Alamein City. The case does not examine the Egyptian government or the national smart-city programme as a whole; rather, it focuses on how one state-led enterprise embeds climate-risk governance into its operational, procurement, and reporting processes. This approach is consistent with interpretive methodology, which seeks to understand how meanings, governance practices, and control routines are socially constructed within a specific organisational setting [14,15]. The single-case design allows for in-depth tracing of climate-risk signals across documents, interviews, and observations, thereby enabling analytic generalisation rather than statistical inference.
To guide the analysis, this study adopts two analytical propositions rather than statistical hypotheses, consistent with the interpretive single-case design. Proposition 1 holds that where internal audit capability is applied to climate-scenario thresholds, those thresholds become enforceable—that is, they trigger auditable changes in specifications, acceptance-test criteria, and CAPEX/OPEX allocations. Proposition 2 holds that the effectiveness of this enforcement is conditioned by the maturity of the COSO ERM (risk appetite, scenarios, portfolio views) and COSO ICSR (control environment, data lineage, monitoring) systems. Internal audit capability is operationalised through charter and reporting structures, risk-based planning, test procedures, sampling and verification records, and escalation to the audit committee. Enforceable climate-risk governance is operationalised through threshold tables, ICSR change-control tickets, amended specifications, budget reweighting, and IFRS S2 reconciliation entries. These propositions and operational indicators frame the data collection and analysis reported in Section 6.
Consistent with an interpretive single-case design, the purpose is analytic, rather than statistical, generalisation. The analysis focuses on mechanism–context linkages that are expected to travel when core enabling conditions are present: active use of COSO ERM/ICSR artefacts (e.g., risk-appetite and scenario registers, control matrices, monitoring logs), an independent internal audit function operating under an approved charter with audit-committee reporting, procurement and engineering processes that can amend specifications and acceptance tests, and IFRS S2-aligned disclosure routines. It is also recognised that moderators—including administrative-law traditions, civil-service rules, provider autonomy, and committee transparency—may amplify or dampen the conversion of breached thresholds into binding specification changes, budget reallocations, and disclosure entries. These boundary conditions frame the inferences drawn from the case and guide interpretation of the findings in Section 6.
The case study method, as conceptualised by Yin [21], provides a robust framework for investigating contemporary phenomena within real-life settings where boundaries between context and practice are blurred. This design is particularly suited to the research question, which interrogates how COSO ERM, COSO ICSR, and ISSB S2 principles are operationalised in a public-sector entity under conditions of climate vulnerability and governance complexity. By focusing on YSF—an SOE affiliated with Al-Alamein City Council—this study captures a critical site where climate risk intersects with asset management, data governance, and disclosure obligations, offering insights that are theoretically rich and practically relevant.
Data collection relied on multiple sources of evidence to ensure triangulation and interpretive rigour. This multi-modal strategy was essential for capturing the complexity of climate-risk governance and auditability within YSF, allowing the researchers to corroborate findings across interviews, documents, and observations. Using Yin’s [21] case study principles, the approach combined depth and contextual sensitivity with methodological robustness.
The observation window spans the calendar year 2024 to early 2025. Accordingly, inferences focus on leading indicators of enforceability that are auditable within this period—executed specification and acceptance-test amendments, release of O&M work orders, documented CAPEX/OPEX reweighting, and IFRS S2-aligned reconciliation entries—rather than on long-run engineering or service-continuity outcomes. Assessment of durable resilience effects (e.g., sustained reduction in outage duration and failure rates; leakage performance on priority mains; thermal-derating pass rates for district-cooling and ICT equipment; coastal overtopping tolerance; heat-related service-level interruptions) requires observation across multiple seasonal cycles and is outlined as a forward evaluation plan in the Discussion.
Semi-structured interviews formed the core of the empirical inquiry. These interviews were designed to elicit rich narratives about how actors interpreted and operationalised COSO ERM, COSO ICSR, and IFRS S2 requirements under NUCA’s governance structure. Guided by an interview protocol, as outlined in Table 1, but allowing flexibility for emergent themes, the conversations explored the meanings, decision rationalities, and resource constraints that shape climate-risk practices [51,52]. The main data collection period spanned June to August 2024, followed by a one-month follow-up in January–February 2025 to capture any subsequent developments. Across these two windows, twenty interviews were conducted with purposively selected staff representing strategic, control, and operational domains. Participants included the Managing Director, Head of ERM, Head of Internal Audit, Audit Committee Secretary, Chief Financial Officer (CFO), Sustainability Manager, Procurement Manager, Legal/Compliance Officer, COCDC Manager, Information and Communications Technology (ICT) Lead, Water Operations Manager, Wastewater Manager, Energy/District Cooling Manager, Coastal Engineering Lead, Health, Safety and Environment (HSE) Manager, Business Continuity Coordinator, two Operations Supervisors, and two Senior Project Engineers. Interviews were conducted in Arabic, recorded based on participant preferences, translated into English, and returned to interviewees for review to ensure accuracy of meanings and expressions—a process consistent with member checking for credibility [22]. The length of each interview ranged from approximately 30 min to 2 h, depending on the participant’s role and prevailing work conditions. The informed consent procedures followed in this study are detailed in Appendix A (Table A1).
Document analysis complemented the interviews by providing formal evidence of governance structures and control systems. Key documents included ERM policies and risk registers, internal audit plans and working papers, COSO ICSR control matrices, IFRS S2 disclosure drafts, board and committee minutes, COC dashboard logs, incident reports, procurement specifications, and emergency protocols. These were sourced from YSF’s secure repositories, committee secretariats, and operational archives, with each item logged in an audit trail to maintain a chain of evidence [53]. Treating documents as social artefacts rather than neutral records enabled the researchers to identify how climate risk was framed and codified and to detect gaps between formal commitments and operational realities [54].
Observations provided an additional layer of insight by capturing practices and interactions that were not always evident in interviews or documents. Eight structured observation sessions were conducted during the two fieldwork periods. Examples included monitoring COCDC operations during a heatwave, walkthroughs of coastal works and water treatment facilities, witnessing smart meter installations, observing district cooling plant routines, and attending audit planning and disclosure meetings. These observations were critical for validating claims, identifying inconsistencies, and understanding how risk signals moved through organisational routines. Field notes and artefact captures supported pattern matching and explanation building, reinforcing the interpretive depth and reliability of the analysis [21,55].
The analysis followed an iterative coding process to transform raw data into meaningful themes aligned with the study’s interpretive stance. After transcription and translation checks, all interview transcripts, document extracts, and observation notes were imported into a qualitative analysis environment. Initial coding began with open coding, where descriptive labels were assigned to segments reflecting governance practices, risk interpretations, and control mechanisms. This stage was inductive, allowing codes to emerge from the data without imposing predefined categories [23]. In the second cycle, axial coding was applied to cluster related codes and identify relationships among concepts such as risk appetite, data lineage, and assurance routines. Finally, selective coding integrated these clusters into higher-order themes informed by the Dillard et al. [14] institutional model—signification, legitimation, and domination—and mapped them against the AECGSC framework introduced in Section 2.4. Throughout the process, memoing and constant comparison were used to refine interpretations and ensure theoretical saturation. This multi-stage coding approach enabled the researchers to move beyond surface descriptions toward explanatory patterns that illuminate how climate risk auditability was enacted and institutionalised within YSF [21,56].
To ensure the credibility and trustworthiness of the thematic analysis, multiple validation strategies were applied throughout the coding process. First, member checking was conducted by sharing translated transcripts and preliminary thematic summaries with interviewees to confirm the accuracy of meanings and interpretations [22]. Second, triangulation was achieved by comparing themes emerging from interviews with evidence from documents and observations, allowing convergence or highlighting discrepancies across data sources [21,57]. Third, peer debriefing was used during analytic cycles, where emerging themes and coding decisions were reviewed with academic colleagues to challenge assumptions and enhance interpretive rigour [23]. Additionally, an audit trail documented coding iterations, memoing decisions, and theme development steps, ensuring transparency and enabling external review. Finally, negative case analysis was applied by actively seeking and examining data segments that contradicted dominant patterns, strengthening the explanatory robustness of the themes [52]. These combined strategies ensured that themes were not only internally coherent but also externally credible and theoretically grounded.
Negative case analysis strengthened the credibility of this study by forcing a re-examination of emerging interpretations and refining thematic boundaries. During coding, contradictory evidence was actively sought, such as operational managers reporting that climate scenarios in ERM registers were not reflected in procurement specifications, or disclosure drafts showing inconsistencies with actual data lineage practices observed in COCDC operations. These disconfirming cases influenced the conclusions by revealing that the operationalisation of the AECGSC framework was uneven across organisational layers, challenging initial assumptions of uniform compliance. As a result, themes were redefined to capture this complexity, shifting from broad categories like “ERM integration” to more nuanced themes such as “symbolic compliance versus substantive embedding” and “data integrity gaps in disclosure pipelines”. Incorporating these negative cases ensured that the final conclusions acknowledged both progress and persistent gaps, offering a more realistic and theoretically robust account of climate risk auditability in the Egyptian SOE context [22,52].

6. Empirical Findings

This section presents the empirical findings in three parts, corresponding to the political–economic level, the organisational–field level, and the organisational level, following the structure of the institutional model [14]. The empirical findings are organised around the two core constructs established in Section 2.2. The first construct, internal audit capability, refers to the SOE’s independent assurance function operating across COSO ERM and COSO ICSR artefacts. The second construct, enforceable climate-risk governance, refers to the conversion of scenario thresholds into binding specification changes, budget reallocations and IFRS S2-aligned disclosure entries. The findings that follow show how these constructs interact in practice, with Figure 3 providing the end-to-end evidence trail from COCDC/SCADA alerts to updated specifications, O&M releases and disclosure reconciliation.
The empirical patterns reported below are interpreted as analytic generalisation from a state-led smart-city setting in which an internal audit operates across COSO ERM and COSO ICSR artefacts with a board-level reporting line and established disclosure routines aligned to IFRS S2. The mechanism identified—linking breached climate thresholds to specification changes, CAPEX/OPEX reallocations and reconciled disclosure entries—can be expected to operate in a similar direction where comparable enabling features are present. Variation in magnitude and cadence is likely across jurisdictions with different legal cultures, administrative-law traditions, public-sector structures or levels of democratic institutional development. In contexts with strong administrative jurisprudence, transparent committee processes or more decentralised provider autonomy, enforceability may be strengthened; conversely, highly centralised environments without robust audit-committee oversight may weaken the conversion of thresholds into binding decisions. The findings that follow should therefore be read with these contextual factors in view.

6.1. Political–Economic Pre-Shaping of the Smart-City Climate-Risk Portfolio

National climate strategies announce resilience as a non-negotiable mandate, yet they fail to bind YSF’s risk appetite and continuity thresholds across the smart-city asset classes—coastal works, water networks, energy and district cooling plants, mobility systems, and the city’s data centre backbone. ERM Policy v3.1 names the principal hazards but does not codify asset-specific tolerances (e.g., overtopping return periods for coastal defence, thermal derating and redundancy ratios for district cooling, heat stress service floors for mobility, and uptime bands with recovery objectives for the data centre), while IFRS S2 drafts restate intent without an ICSR-grade lineage that traces scenario inputs through control activities into decision-useful metrics. In practice, the Command Operations Centre executes competent continuity actions during heatwaves, yet escalation protocols remain decoupled from explicit scenario gates, showing that national signification has not crystallised into rules where failures actually occur. As the Managing Director reflected,
We have a powerful narrative from Vision 2030, NCCS 2050, and the NDC, but a narrative is not a gate—until resilience appetite is codified per asset class, the portfolio will keep recognising climate risk without being governed by it.
This empirical evidence exemplifies the institutional contradictions theorised by Dillard et al. [14]. At the societal level, signification structures are strong—national strategies frame resilience as a non-negotiable mandate—but legitimation structures remain weak because rules and norms that would codify resilience thresholds for specific smart-city asset classes are absent. ERM policies and IFRS S2 drafts reproduce the discourse of resilience without embedding enforceable mechanisms, leaving organisational routines governed by formal rationality (compliance artefacts and continuity actions) rather than substantive rationality (binding scenario gates and design standards). Domination structures—budgetary authority and resource control—reinforce this decoupling by privileging optics and fiscal cadence over resilience enforcement. The Managing Director’s observation that “a narrative is not a gate” captures this misalignment: societal meanings cascade downward but fail to institutionalise at the operational level. Theoretically, this finding confirms Dillard et al. [14]’s recursive model: institutionalisation stalls when signification, legitimation, and domination are not aligned, producing symbolic compliance rather than structural coupling and explaining why climate-risk governance in smart cities remains ceremonial rather than transformative.
Portfolio prioritisation follows visibility rather than systemic vulnerability, elevating coastal frontage and the primary data centre while underserving the mundane nodes where resilience is built—stormwater capacity, leak detection and feeder line hardening in water networks, and mobility assurance under extreme heat. Risk registers flag surge, heatwaves, and water stress across all domains, yet continuity thresholds are inconsistently defined and rarely pre-authorised for spend; site walkthroughs at coastal works and water treatment show faithful execution to original tender specifications rather than updated tolerances aligned to newly modelled scenarios, and the data centre’s refined uptime monitoring is not matched by uplift to enabling networks that sustain cooling, pumping, and movement when temperatures spike. This is resilience performed where it can be seen, not where cascading failure would be stopped. In the words of the Head of ERM,
If you ask which assets get priority, it’s the coastal frontage and the COCDC backbone because they are legible proof points; yet resilience is built in pipes, feeders, and service schedules, and until thresholds for water, cooling, and mobility are specified and funded, we will keep favouring what is seen over what actually saves the city.
This empirical finding demonstrates a clear institutional misalignment as theorised by Dillard et al. [14]. At the societal level, signification structures are strong—national strategies frame resilience as a core mandate—but they fail to translate into legitimation structures that codify enforceable rules, such as continuity thresholds for water, cooling, and mobility assets. ERM policies and IFRS S2 drafts reproduce the discourse of resilience without embedding binding mechanisms, leaving organisational routines governed by formal rationality—producing compliance artefacts and visible performance—rather than substantive rationality that would embed resilience into procurement and engineering standards. Domination structures reinforce this decoupling by privileging resource allocation toward visible assets like coastal frontage and data centres, rather than systemic nodes where cascading failure would be prevented. In terms of the theoretical model, this finding confirms Dillard et al. [14]’s argument that institutionalisation is recursive and contingent on cross-level alignment: when signification, legitimation, and domination fail to converge, practices become ceremonial, producing symbolic compliance rather than structural coupling in smart-city climate governance.
CAPEX/OPEX allocation under NUCA’s governance codifies near-term efficiency and reputational optics as the decision calculus, not portfolio-level resilience, and the documentation of trade-offs reinforces that bias. Board and committee papers treat climate largely as project-specific risk or communication value, while ring-fenced budgets for cross-asset adaptation—stormwater redundancy, leak detection, feeder line upgrades, mobility shade and scheduling resilience—remain rare and are typically appended to flagship contracts as secondary clauses. Procurement teams routinely “wrap” adaptation inside high-profile tenders to clear authorisations, a practice that keeps resilience contingent rather than structural and prevents explicit pricing and scoring of resilience gates per asset class. The accounting optics win; the infrastructure loses. To quote the CFO,
We fund what the city can point to before we fund what the system truly needs—promenades and landmark facilities read as delivery, while valves, feeders, infiltration capacity, and equity safeguards read as cost; unless guidance specifies resilience gates per asset class, our spend will overinvest in symbols and underinvest in the system.
This empirical finding reflects how domination structures, as theorised by Dillard et al. [14], actively shape organisational priorities and resource flows. NUCA’s governance embeds a fiscal logic that privileges cost-efficiency and reputational optics, which becomes the dominant rationality guiding CAPEX/OPEX decisions. While societal signification frames resilience as a strategic imperative, the legitimating rules—such as binding resilience gates for procurement—are absent, allowing domination structures to dictate what counts as “performance”. This results in a recursive institutional dynamic where adaptation measures are appended to flagship projects as symbolic gestures rather than integrated as structural requirements. In theoretical terms, this illustrates how resource control and decision rights at the macro level constrain the institutionalisation of substantive rationality: resilience remains ceremonial because domination structures reward visible delivery over systemic risk mitigation. Consequently, the climate-risk portfolio reflects institutional power rather than vulnerability logic, confirming Dillard et al. [14]’s argument that institutionalisation is contingent on the alignment of meaning, norms, and resource authority across levels.
Macro political–economic pressures—budget cycles, delivery targets, and ceremonial inaugurations—compress governance horizons and dilute the embedding of climate risk into procurement and engineering standards, leaving specifications static while scenarios evolve across smart-city asset classes. Operations emphasise that teams work to the tender and the deadline; Legal and Compliance underscore that emails or memos cannot alter acceptance tests when specifications are unchanged; and Business Continuity confirms that playbooks trigger operational responses without unlocking design or maintenance re-authorisations. Cross-checks between risk registers and procurement files show tenders proceeding with legacy performance curves despite newly documented heatwave and surge impacts on district cooling, coastal defence, and mobility; plant routines at district cooling plants are robust but not uplifted for projected thermal stress; and coastal execution remains faithful to original tender parameters rather than updated surge tolerances. As the Operations Supervisor observed,
Deadlines are binding; scenarios are advisory—if resilience thresholds for cooling, coastal defence, water loss, and mobility aren’t written into specs and contracts, priced, scored, and accepted, we will keep delivering a plan that the climate has already changed.
This empirical finding illustrates how temporal and procedural constraints operate as institutional mechanisms within Dillard et al. [14]’s framework. Budget cycles and delivery deadlines act as domination structures that privilege short-term efficiency and ceremonial milestones over adaptive governance, while legitimating norms—such as procurement rules and tender specifications—remain static, preventing the integration of climate scenarios into engineering standards. Although signification at the societal level frames resilience as a strategic imperative, these macro pressures compress governance horizons, reinforcing formal rationality and producing routinised compliance rather than substantive embedding. In theoretical terms, this confirms Dillard et al. [14]’s argument that institutionalisation is recursive and power-laden: when domination structures reward speed and optics, and legitimation structures fail to evolve, organisational practices decouple from resilience objectives, leaving smart-city climate governance vulnerable despite its rhetorical strength.
Mechanisms that could reconcile short-term imperatives with long-term resilience exist, but only as ad hoc exceptions rather than institutional rules; consequently, ERM codification and audit scoping influence forms more than they change specifications and spending across the smart-city portfolio. Exception memos can fast track revisions when risk cues are unambiguous, and recent procurements include isolated pilots—heat-tolerant components in district cooling plants, surge-resilient fastenings in coastal packages—but these remain local innovations, not scaled mandates. Internal audit plans verify the existence and consistency of climate artefacts, yet they cannot authorise a rulebook that binds procurement and maintenance to scenario thresholds per asset class. Without a board-approved resilience appetite that is enforceable across coastal, water, energy/district cooling, mobility, and data centre assets, assurance will continue to certify narratives rather than reset decision gates. As the Head of Internal Audit concluded,
Internal audit can attest the story; only the board can change the specification—give us a binding resilience appetite per asset class and we will test its design and operating effectiveness; without it, heatmaps and S2 narratives will keep colouring the page while the portfolio spends the old way.
This empirical finding demonstrates how institutionalisation stalls when adaptive mechanisms remain discretionary rather than embedded, a dynamic central to Dillard et al. [14]’s model. Exception memos and pilot clauses signal attempts at change, but their ad hoc nature reflects weak legitimation structures: rules and norms that should formalise resilience thresholds across asset classes are absent. ERM codification and audit scoping, while present, operate as symbolic artefacts because domination structures—board-level authority and resource control—do not authorise systemic integration. This reinforces the recursive logic of the model: organisational actors improvise local fixes, yet these do not ascend to reshape field norms or societal priorities. The result is a governance pattern where formal rationality dominates, producing compliance narratives and isolated innovations rather than substantive coupling of resilience into procurement and maintenance regimes. In theoretical terms, this finding underscores Dillard et al. [14]’s argument that institutional change requires alignment across signification, legitimation, and domination; without that alignment, smart-city climate governance remains ceremonial and vulnerable.
These political–economic signals cascade into ERM codification and shape audit scoping, producing compliance artefacts without the force to recalibrate technical standards, acceptance tests, and O&M regimes at the points of failure that matter in a smart-city system. Risk forums debate hazards and continuity, audit committees review heatmaps, and disclosure drafts assemble narratives, but the absence of binding thresholds leaves decisions tethered to optics and budget cadence. The net effect is a structured decoupling: climate risk is named and noted but not yet bound to the specifications that govern spend and performance across the climate critical asset portfolio. Until resilience appetite and continuity thresholds are made enforceable per asset class—and until CAPEX/OPEX scoring explicitly prices resilience gates—YSF’s smart-city climate-risk portfolio will remain pre-shaped by visibility, cadence, and ceremony rather than by vulnerability, continuity, and equity. As the Audit Committee Secretary put it,
We have risk registers and dashboards, but the real test is whether scenarios change specs and budgets—until that is the standard, assurance will remain persuasive rather than dispositive.
This empirical finding illustrates how institutionalisation remains incomplete because the cascade from societal priorities to organisational routines is structurally blocked—a dynamic central to Dillard et al. [14]. While ERM codification and audit scoping create artefacts that signal compliance, they lack the normative force to recalibrate technical standards, procurement specifications, and O&M regimes. In terms of the model, signification structures (the discourse of resilience) are present, but legitimation structures—binding rules that embed resilience thresholds into decision gates—are absent, and domination structures continue to privilege optics and fiscal cadence over vulnerability logic. This produces what Dillard et al. [14] describe as ceremonial coupling: practices that mimic conformity without altering underlying resource allocations or technical routines. Theoretically, this finding underscores the recursive nature of institutionalisation: without alignment across meaning, norms, and power, smart-city climate governance remains locked in formal rationality, generating persuasive narratives rather than dispositive change.

6.2. Field-Level COSO ERM in Smart-City Climate-Risk Governance

Field-level governance translates the political–economic rhetoric of resilience (Section 6.1) into COSO ERM artefacts—policies, registers, heatmaps, committee packs, and IFRS S2 drafts—but, as currently practiced, those artefacts rarely carry the binding thresholds, named decision rights, and pre-authorised resources needed to change specifications and spending across coastal, water, energy/district cooling, mobility, and data centre assets. In reviewed documents, ERM Policy v3.1 defines hazard taxonomies and introduces velocity and interconnectivity fields in the risk register, yet observations of planning meetings showed attention gravitating to heatmap gradations and narrative consistency rather than to the gates that would amend tenders or re-phase CAPEX. By contrast, COSO ICSR offers the missing control layer—data lineage, control activities, and monitoring—that can turn scenario outputs into decision-useful evidence, making escalation auditable and enforceable. As the Managing Director reflected,
We have the architecture—COSO ERM gives us the vocabulary and templates—but without codified thresholds, owners, and funding at the asset level, resilience remains documented more than delivered.
This empirical finding illustrates a different dimension of Dillard et al. [14]’s institutional model: the symbolic translation of macro priorities into field-level artefacts without activating structural coupling. At this level, signification from the political–economic domain—resilience as a national mandate—is reproduced through COSO ERM templates, registers, and disclosure drafts, creating an appearance of rationalised governance. However, the absence of codified thresholds, decision rights, and resource authorisations signals that legitimation remains procedural rather than substantive. This reflects what Dillard et al. [14] conceptualise as institutional layering, where new practices are grafted onto existing routines without displacing the underlying logic of efficiency and optics. The artefacts—heatmaps, velocity fields, and interconnectivity notes—function as carriers of legitimacy for external audiences, yet their inability to trigger specification changes or CAPEX reallocation demonstrates that domination structures still privilege ceremonial compliance over transformative governance. In theoretical terms, this finding underscores how institutionalisation can stabilise symbolic forms while leaving operational norms intact, reinforcing the recursive dynamic where resilience is documented but not enacted.
Professional and regulatory directives now require COSO ERM coverage of likelihood, severity, velocity, and interconnectivity, but they stop at reporting expectations instead of prescribing resilience appetite thresholds and escalation authorities that bind procurement and O&M. The risk-register columns for velocity and cross-asset interdependencies are populated; however, when heatwave scenarios breached modelled tolerances, escalation remained discretionary and did not automatically trigger specification revisions in district-cooling or mobility contracts. Here, COSO ICSR can hard-wire action by embedding threshold tables as control activities linked to responsibility matrices, workflow approvals, and change-control logs. Under such a design, crossing a scenario threshold would automatically initiate a specification-change process with named owners, defined budgets, and traceable approvals. In one recent pilot, a “threshold-to-spec” workflow was drafted for a cooling plant: when ambient temperature exceeded the defined band for a set duration, the ICSR workflow opened a change ticket, routed it to Engineering and Procurement, and required documented amendments to acceptance tests before the next tender cycle. As the Head of ERM explained,
COSO gives us structure—likelihood, severity, velocity, connectivity—but we need ICSR-grade controls that say: when a threshold is crossed, the spec will change and here is who authorises, funds, and signs it.
This empirical finding reflects a different theoretical dynamic within Dillard et al. [14]’s institutional model: the partial coupling of formal structures without activating the deeper normative and resource logics. At the organisational–field level, COSO ERM artefacts—risk registers, heatmaps, and disclosure templates—signal conformity to professional norms and regulatory expectations, satisfying the appearance of rational governance. However, the absence of codified thresholds and escalation authorities shows that legitimation operates as procedural compliance, not as a mechanism for redistributing power or altering resource flows. This illustrates what Dillard et al. [14] describe as the dual structuration of rules and routines, where new governance forms coexist with entrenched domination structures that prioritise optics and fiscal cadence. COSO ICSR’s potential to hard-wire thresholds and workflow approvals represents an attempt to shift from symbolic coupling toward substantive embedding, yet its limited uptake underscores how institutionalisation remains constrained by the recursive interplay of meaning and power. In short, the field level demonstrates that institutional change is not blocked by ignorance of frameworks but by the selective activation of rules that preserve existing resource hierarchies.
Sector benchmarks guide scenario design and the COSO ERM portfolio view, yet they function mainly as descriptive lenses instead of prescriptive triggers for investment and design. Temperature bands for district cooling and uptime tiers for the data centre are relatively mature in the annexes; by comparison, water distribution, stormwater capacity, and mobility assurance rely on fragmented indicators that seldom translate into pre-authorised spend or revised acceptance tests. In board minutes, benchmarked hazards were acknowledged, but escalation occurred when optics were at risk (public outages) rather than when models anticipated backbone failures in water or feeder lines. COSO ICSR can close this gap by enforcing measurement consistency and calculation procedures—a data dictionary for thermal stress, uptime, non-revenue water, and mobility service floors—paired with reconciliation rules that make the benchmark thresholds operationally binding: when the benchmark is breached, the control requires portfolio re-weighting and documented specification change. In the words of the Sustainability Manager,
Benchmarks make the picture credible, but they don’t yet bind the decision; with ICSR data lineage and mandatory reconciliation to thresholds, the same benchmarks can become funding and specification gates.
This empirical finding demonstrates a different theoretical linkage within Dillard et al. [14]’s institutional model: the selective operationalisation of professional norms without redistributing authority or altering resource logic. At the organisational–field level, COSO ERM artefacts and sector benchmarks create a veneer of rationalised governance, satisfying coercive and normative pressures from regulators and professional bodies. However, their function remains largely symbolic because escalation rights and funding triggers are absent, leaving decision-making tethered to optics rather than vulnerability logic. This reflects what Dillard et al. [14] conceptualise as institutional reproduction through procedural rationality, where new practices—heatmaps, benchmark annexes, and disclosure templates—are layered onto existing routines without displacing the underlying domination structures that prioritise fiscal cadence and reputational visibility. COSO ICSR’s potential to enforce data lineage and threshold-based workflows represents an attempt to shift from symbolic compliance to substantive embedding, yet its limited uptake underscores how institutionalisation is constrained by the recursive interplay of meaning, norms, and power. In short, benchmarks inform the discourse of resilience but fail to reconfigure the structural conditions that govern resource allocation and technical standards.
Compliance with COSO ERM principles is asserted in committee packs and regulator briefings, but enforcement is thin, and alignment between ERM registers and strategic objectives is claimed rather than verified. Heatmaps, likelihood–severity matrices, and interconnectivity narratives now appear routinely, yet field testing rarely shows that scenario outputs altered technical specifications, bill-of-quantities, or maintenance regimes in coastal works, water networks, mobility systems, or cooling assets. Where misalignment is detected, remediation is narrative—updating registers or adding KPIs—rather than structural. COSO ICSR supports enforcement by making those claims testable: control testing of data lineage, threshold mapping to specs, approval workflows, and monitoring reports that track whether scenario breaches resulted in design changes and budget movement. In one audit review, the team traced a heatwave scenario from the register to COCDC dashboards and then through tender files; the lack of a signed ICSR change-control record made non-action visible and remediable. The Audit Committee Secretary admitted the following:
Heatmaps reassure the room because they show process; what we need—and ICSR can reveal—is whether a threshold crossing changed the specification, the acceptance tests, and the maintenance regime.
This empirical finding illustrates another facet of Dillard et al. [14]’s institutional model: the persistence of ceremonial compliance reinforced by normative isomorphism. At the organisational–field level, professional and regulatory directives embed COSO ERM principles—likelihood, severity, velocity, interconnectivity—into risk registers and committee packs, creating artefacts that signal legitimacy to external stakeholders. However, the absence of enforceable thresholds and escalation authorities means these artefacts operate as symbolic carriers of conformity rather than as instruments of structural change. This reflects Dillard et al. [14]’s insight that institutionalisation is not merely about adopting frameworks but about activating the power and resource logics that make those frameworks consequential. COSO ICSR’s proposed control activities—threshold tables, workflow approvals, and change-control logs—represent an attempt to move from symbolic coupling to substantive embedding, yet their limited uptake underscores how domination structures continue to privilege optics and fiscal cadence over resilience imperatives. In theoretical terms, this finding demonstrates how field-level codification can stabilise legitimacy while leaving operational norms intact, reinforcing the recursive dynamic where resilience is documented but not enacted.
Revision cycles remain episodic and reactive, triggered by incidents, media attention, or opportunistic budget windows rather than by formal COSO ERM tolerances. Exception memos have fast-tracked isolated changes—heat-tolerant components in district cooling plants and surge-resilient fastenings in coastal packages—but these are local innovations, not scaled rules. Observations during tender evaluations showed such clauses treated as discretionary add-ons, not mandatory requirements. COSO ICSR can institutionalise a closed-loop cycle: quarterly threshold assessments, management certifications, exception logs tied to corrective-action plans, and monitored remediation that is reported through governance dashboards. In water operations, an ICSR-style leakage control set—source data validation, meter-to-SCADA reconciliation, and threshold-triggered work orders—demonstrated how routine metrics can be tied to pre-authorised OPEX uplift for heat-stress periods, converting residual risk into maintenance programmes rather than deferrals. The Legal and Compliance Officer stressed the following:
We can move quickly on an exception when the case is obvious; what will make resilience stick is a rulebook of thresholds, owners, and approvals that runs every quarter, not just after an incident.
This empirical finding highlights a different theoretical dimension within Dillard et al. [14]’s institutional model: the temporal fragility of institutionalisation and the dominance of reactive routines over structured governance. Revision cycles that depend on incidents or opportunistic budgets rather than formal COSO ERM tolerances reveal how institutionalisation remains contingent and episodic, not embedded. While signification and legitimation structures exist in the form of ERM policies, risk registers, and professional norms, their operationalisation is undermined by domination structures that reward short-term optics and fiscal cadence. This pattern reflects Dillard et al. [14]’s notion of recursive reproduction, where organisational actors improvise exceptions to maintain legitimacy without challenging the underlying resource logic. COSO ICSR’s closed-loop controls—threshold assessments, workflow approvals, and monitoring dashboards—represent a potential shift from reactive adaptation to routinised resilience, but their limited adoption underscores how institutional change requires more than technical artefacts; it demands a redistribution of authority and accountability across levels. In short, resilience remains a discretionary act rather than a systemic rule, confirming that institutionalisation here is partial and vulnerable to reversal.
Ultimately, field-level COSO ERM has succeeded in standardising climate-risk language and artefacts, but without COSO ICSR-grade control mechanics—threshold codification, data lineage, approval workflows, and monitoring—the system still certifies resilience more than it delivers it. Risk forums debate hazards, audit committees review registers, and disclosure drafts assemble narratives, yet the specification and budget decisions that determine resilience at the points of failure remain tethered to optics and fiscal cadence. The path to substantive governance is clear in the emerging pilots: make thresholds for coastal, water, cooling, mobility, and data-centre binding, assign decision rights, embed ICSR controls that automatically route scenario breaches to specification changes, and require audit evidence of design and spend shifts. As the Head of Internal Audit concluded,
We can attest the system as written under COSO ERM; with COSO ICSR, we can also prove whether thresholds triggered specification changes and budget movement—without those controls, assurance certifies the narrative while the portfolio spends the old way.
This empirical finding illustrates a different theoretical linkage within Dillard et al. [14]’s institutional model: the institutionalisation of symbolic artefacts without activating structural coupling through control systems. At the organisational–field level, COSO ERM has successfully standardised language and artefacts—risk registers, heatmaps, and disclosure templates—creating a strong appearance of rational governance and satisfying normative expectations. However, the absence of COSO ICSR-grade control mechanics—threshold codification, workflow approvals, and monitoring—reveals that legitimation remains procedural rather than substantive. This reflects Dillard et al. [14]’s insight into institutional persistence through formal rationality, where organisations adopt frameworks to demonstrate compliance but avoid redistributing authority or altering resource flows that would challenge domination structures. Emerging pilots that link thresholds to specification changes signal a potential shift toward substantive embedding, yet their limited scale underscores how institutional change depends on aligning meaning, norms, and power across levels. In short, resilience governance at this level exemplifies how institutionalisation can stabilise legitimacy while leaving operational routines largely untouched, reinforcing the recursive dynamic where resilience is certified rather than enacted.
Figure 3 visualises the auditable “threshold-to-specification” workflow from COCDC/SCADA alerts through ERM and ICSR records to amended tender/O&M artefacts and IFRS S2-aligned disclosures.

6.3. Organisational Internal Audit and Climate-Risk Assurance as an Integrative Mechanism in Smart-City Governance

An internal audit at YSF operates at the organisational junction where climate-risk signals from operations, field-standardised risk artefacts, and board decision rights must be translated into enforceable practice. Reading across ERM Policy v3.1, the FY2024/25 internal audit plan, COSO ICSR control matrices, IFRS S2 draft packs, committee minutes, change-control logs, and tender files, the documentary trail confirms that the building blocks are present: hazards are captured with velocity and interconnectivity fields; key climate metrics carry partial data lineage; and disclosure drafts echo the risk taxonomy used in governance forums. Yet site observations in New Alamein City’s coastal works, district cooling plant, wastewater facilities, and the COCDC repeatedly revealed a fracture between the registration of thresholds and their conversion into specification changes or budget movement. An internal audit closes this visibility gap by tracing a single climate signal end-to-end—from sensor alerts and SCADA streams into ERM registers, from there to ICSR control tables and change-control records, and finally into amended bills of quantities or acceptance tests. Where the chain ends in narrative rather than a signed change record, assurance renders non-action auditable rather than arguable. As the Managing Director remarked in a July 2024 board briefing,
When a breached temperature band sits beside an unaltered clause in the audit file, it stops being a general risk and becomes a funded choice we must own.
This empirical finding exemplifies Dillard et al. [14]’s institutional model because it demonstrates how organisational practices evolve through the recursive interaction of signification, legitimation, and domination structures. An internal audit’s tracing of climate signals from operational alerts to procurement artefacts transforms abstract risk discourse into auditable obligations, reinforcing signification by embedding climate thresholds into the organisation’s interpretive schema. At the same time, the insistence on signed change records and compliance logs strengthens legitimation by converting informal expectations into formalised rules that define what constitutes appropriate action. Finally, by escalating non-action into a visible, costed choice for the board, an internal audit challenges domination structures, compelling resource controllers to confront the allocative consequences of deferral. In doing so, the practice reflects Dillard et al. [14]’s argument that institutionalisation is enacted through power-laden negotiations and reflexive monitoring, where artefacts and accountability mechanisms are mobilised to reconfigure norms and redistribute authority—shifting climate governance from symbolic representation toward substantive embedding.
The interface with ERM and reporting functions is intentionally procedural, not merely descriptive. An internal audit does not stop at confirming that heatwave, surge, water-stress, or uptime thresholds appear in the register; it tests whether those thresholds are codified as COSO ICSR control activities that route through change tickets with named owners and pre-authorised ranges of spend, and it reconciles IFRS S2 metrics and targets to the same operational sources that triggered the breach. In the district-cooling review completed in Q3-2024, for example, ambient-temperature exceedances opened a workflow, derating assumptions were recalculated, acceptance tests were amended, and the revised clauses appeared in the next tender cycle. Where management initially resisted specification amendments, an internal audit submitted a resilience escalation note that priced the counterfactual—continuity loss, remedial OPEX during heat events, and reputational exposure—so the audit committee confronted budget logic rather than abstract heatmap colours. The Audit Committee Secretary’s reaction captured the shift:
The audit package turned a climate story into a spend story; we were choosing between two budgeted futures, not debating colours.
This empirical finding reveals another facet of Dillard et al. [14]’s model: the dynamic of institutional layering and the role of artefacts in redistributing accountability. By embedding COSO ICSR workflows and IFRS S2 reconciliations into routine governance, an internal audit introduces new procedural artefacts that coexist with legacy norms but gradually reconfigure the organisational logic of decision-making. These artefacts do more than document compliance—they create a structural coupling between risk signals and resource allocation, forcing boards to confront climate thresholds as auditable obligations rather than discretionary considerations. In Dillard et al. [14]’s terms, this illustrates how institutionalisation is not a linear replacement of old practices but a recursive layering process, where new rules and accountability mechanisms incrementally shift the balance of power and redefine what counts as legitimate action. The audit committee’s shift from debating “colours” to choosing “between two budgeted futures” signals this transition: meaning and power are renegotiated through artefacts that make inaction visible and costly, confirming the model’s emphasis on reflexivity and the duality of structure.
Prioritisation in the audit universe is re-weighted toward assets whose failure propagates through the smart-city system. While coastal frontage and the data-centre backbone remain material, an internal audit deliberately directs effort to enabling networks—stormwater conveyance and redundancy, non-revenue water and feeder-line hardening, and thermal derating and redundancy ratios in cooling—because these quietly determine whether mobility, safety, and digital services endure stress events. The evidence standards applied are cumulative. Design effectiveness examines whether overtopping return periods, thermal derating bands, uptime tiers, leakage floors, and mobility service thresholds are expressed as binding tables with named decision rights, routing rules, and spend envelopes that make action non-discretionary once breached. Operating effectiveness then tests whether real breaches consistently generate artefacts that alter reality, such as opened workflow tickets, signed approvals, amended specifications and bills of quantities, re-phased CAPEX/OPEX, and adjusted maintenance regimes, and whether disclosure numbers reconcile cleanly to those implemented decisions. During an October 2024 coastal package walkthrough, an internal audit followed the updated surge tolerance from model to fastening specifications and then to the budget entry that funded the change; the Coastal Engineering Lead acknowledged the difference: “we have long modelled surge; the audit insisted on the signature chain that turns tolerance into hardware and money”. In wastewater operations observed in January 2025, meter-to-SCADA reconciliations automatically raised work orders when leakage exceeded the quarterly threshold; the Wastewater Manager noted,
Thresholds used to be aspirational; because the audit will test the work order and the release, the threshold now moves OPEX.
This empirical finding illustrates a different dimension of Dillard et al. [14]’s model: the role of resource prioritisation as a manifestation of institutional power and rationality. By re-weighting the audit universe toward enabling networks—stormwater systems, feeder lines, and cooling redundancies—an internal audit challenges the dominance of visibility-driven resource allocation and introduces logic grounded in systemic vulnerability. In Dillard et al. [14]’s terms, this reflects a shift in domination structures: authority over resource flows is contested through artefacts such as threshold tables, routing rules, and signed approvals that make resilience a rule-based obligation rather than a discretionary act. At the same time, the move from aspirational thresholds to operational triggers, evidenced by automated work orders and budget releases, signals the embedding of formal rationality into organisational routines. What was previously ceremonial—risk registers and aspirational metrics—becomes enforceable through routinised workflows that redistribute decision rights and capital. This dynamic confirms Dillard et al. [14]’s argument that institutionalisation is not merely about adopting new norms but about reconfiguring the underlying power–resource nexus, where audit artefacts act as catalysts for altering the calculus of legitimacy and authority in smart-city governance.
Remediation actions are designed to close the gap between symbolic compliance and substantive embedding. An internal audit has recommended, and management has begun to implement, programme-level threshold-to-spec tables linked to responsibility matrices, change-control logs, and quarterly management certifications. These instruments force a binary: either the breach amends the specification and moves funds, or a time-bound deferral is recorded and owned in committee. Data dictionaries and reconciliation rules standardise thermal stress, surge, uptime, leakage, and mobility metrics across operational and reporting systems, which reduced discrepancies between COCDC dashboards and disclosure drafts and made every reported figure auditable back to the source and the change it justified. The ICT Lead described the operational effect after a December 2024 clean-up: “we rebuilt our tag hierarchy and timestamp discipline because the audit now walks a disclosure number back to the sensor and the procurement change; it forced quality at the origin of the data”. Health, safety, and equity considerations are being drawn into the same loop. Following an audit thematic memo on heat stress and outdoor service continuity, the HSE Manager instituted a minimum shaded-service floor for mobility and water crews during extreme heat bands, explaining in a February 2025 certification:
If the heat band is breached, I either reschedule and authorise overtime or I file a deferral that the committee will read next month.
This empirical finding highlights another facet of Dillard et al. [14]’s model: the recursive coupling of interpretive schemes and allocative structures through artefact-driven accountability. By introducing threshold-to-spec tables, responsibility matrices, and quarterly certifications, an internal audit transforms climate governance from a domain of symbolic representation into a system of routinised obligations. These artefacts do more than standardise data—they create enforceable junctions between operational signals and governance decisions, compelling actors to either act or formally defer in a way that is visible and sanctionable. In Dillard et al. [14]’s terms, this demonstrates how institutionalisation is enacted through the duality of structure: interpretive schemes (climate thresholds and resilience narratives) are reconstituted as normative rules, and those rules are embedded in allocative structures that redistribute authority and resources. The ICT Lead’s remark about rebuilding tag hierarchies and the HSE Manager’s admission that deferrals now appear in committee packs illustrate how power and legitimacy are renegotiated through procedural artefacts, confirming the model’s emphasis on reflexivity and the materiality of control in sustaining institutional change.
To make learning systemic, an internal audit shifted feedback from episodic memos to a timed governance cycle observed across Q4-2024 and Q1-2025: management performs a quarterly threshold assessment and signs a certification; exceptions feed an ICSR monitoring log; an internal audit verifies samples and issues a thematic briefing that aggregates cross-asset exposures; the audit committee receives that briefing alongside a resource docket aligned to the CAPEX/OPEX calendar; and the following quarter’s audits test both implementation and the truthfulness of disclosures against the change logs. Minutes for stormwater and cooling reviews record explicit requests for “before/after” clauses in tenders and for a standing resilience change log in committee packs. The COCDC manager captured the behavioural change at operations level:
Once repeated thermal alerts were routed—because audit demanded it—into procurement workflows, the next tender carried the derating clause; the dashboard stopped being a warning and became a design input.
This empirical finding illustrates yet another facet of Dillard et al. [14]’s model: the institutionalisation of temporal routines as a mechanism of structural coupling. By shifting from ad hoc memos to a quarterly governance cycle, an internal audit embeds climate-risk into the organisation’s temporal structure, creating predictable intervals for assessment, certification, verification, and committee review. In Dillard et al. [14]’s terms, this represents the recursive production of rules that stabilise expectations across actors—management anticipates certification, committees expect resource dockets, and audit plans incorporate follow-up testing. These routines do more than organise time; they redistribute power by constraining discretionary deferral and making inaction visible at the next cycle. The data centre manager’s remark that “the dashboard stopped being a warning and became a design input” signals how temporal structuring converts interpretive schemes into operational artefacts, reinforcing the duality of structure: time-bound obligations both enable and constrain agency, institutionalising resilience as a recurring governance act rather than an episodic exception.
Within this architecture, an internal audit influences board decisions by converting abstract risk into costed choices, synchronising evidence with the budget timetable, and attaching reputational accountability to deferral. Each climate-material audit now reaches the committee as a decision package: a breached threshold paired with the precise specification clause to be amended; quantified continuity, safety, and equity impacts over the planning horizon; and funding paths that surface schedule and portfolio trade-offs. Disclosure assurance is withheld until the corresponding change is evidenced in the procurement or O&M file, structurally linking narrative credibility to governance action. The CFO described the effect on budget discipline during a January 2025 session: “our budget papers now carry explicit climate gates; I cannot present delivery optics unless I show how the gate is priced and what audit will test next quarter”. In a follow-up discussion, the CFO added a practical constraint and commitment:
We still operate under tight ceilings, but the audit evidence means resilience competes transparently; when a threshold is crossed, I either fund the spec change or I sign the deferral and expect to see it again, costed higher, in the next cycle.
This empirical finding illustrates a further dimension of Dillard et al. [14]’s institutional model: the reconfiguration of domination structures through calculative artefacts. By converting climate risk into costed decision packages and conditioning disclosure assurance on evidence of change, an internal audit shifts the locus of power from narrative compliance to allocative accountability. In Dillard et al. [14]’s terms, this represents a redistribution of resource authority—boards and executives can no longer exercise discretion in a vacuum; they must act within a framework where inaction is documented, priced, and reputationally exposed. The CFO’s admission that resilience now “competes transparently” and that deferrals return “costed higher” in the next cycle signals the emergence of a new rationality: decisions are governed not only by formal rules but by escalating economic consequences embedded in audit artefacts. This dynamic confirms Dillard et al. [14]’s argument that institutionalisation is enacted through recursive monitoring and power-laden negotiation, where calculative devices transform the conditions under which authority is exercised, moving climate governance from ceremonial representation toward substantive embedding.
Examples from smart-city projects illustrate how this integrative assurance becomes embedded rules. In coastal works along the New Alamein promenade, the updated surge tolerance moved from hydrodynamic modelling to fastening specifications and funded procurement changes within a single cycle, preventing ceremonial upgrades that would underperform under storm events. In district cooling, threshold-triggered change tickets rewrote acceptance tests to reflect derating at sustained high temperatures, reducing cascading outage risk across mobility and residential cooling. In smart water metering, leakage thresholds tied to non-revenue water analytics opened work orders and released targeted OPEX uplift during heat periods, protecting pressure and service continuity for vulnerable neighbourhoods. In the data-centre backbone, uptime tiers were matched by enabling network investments—backup pumping and cooling redundancy—after an internal audit traced persistent alert patterns into the tender board’s docket with costed alternatives. The Sustainability Manager, reflecting on these cross-domain shifts, noted,
The audit packages forced us to treat resilience as an investment thesis across assets; when a climate gate appeared as a scored item in procurement, it moved from aspiration to funding.
This empirical finding illustrates another facet of Dillard et al. [14]’s model: the institutionalisation of calculative rationality through artefact-driven coupling. By embedding resilience thresholds into procurement scoring and linking them to costed alternatives, an internal audit transforms climate governance from aspirational discourse into a competitive investment logic. In Dillard et al. [14]’s terms, this reflects a shift in the underlying rationality of organisational decision-making: resilience moves from a symbolic representation of public value to a calculative criterion that structures resource allocation. The artefacts—scored climate gates, amended specifications, and costed dockets—operate as carriers of legitimacy, compelling actors to justify choices within a framework of quantified trade-offs. This dynamic confirms the model’s emphasis on institutionalisation as a recursive process where new artefacts do not merely document compliance but actively reshape norms and redistribute power, embedding climate priorities into the formal calculus of organisational performance.
Taken together, the documents, observations, and testimonies indicate that the internal audit has become YSF’s organisational integrator between scenario-based risk identification, control design and operation, and disclosure credibility. It does not legislate appetite, but it makes appetite unavoidable by evidencing threshold breaches, tying them to specification clauses and budget lines, running a quarterly comply-or-explain cadence, and conditioning disclosure assurance on proof of change. Where the board codifies appetites per asset class and delegates spend ranges, the audit evidence becomes dispositive and thresholds function as gates; where such codification is still emerging, an audit nonetheless shapes decisions by structuring agendas, quantifying trade-offs, and accumulating an auditable trail that renders inaction both visible and costly. As the CFO summarised the new cadence,
Audit has turned resilience from rhetoric into a line item; if we defer, it is written, dated, and priced—and that changes how every portfolio conversation ends.
This empirical finding reflects another dimension of Dillard et al. [14]’s institutional model: the recursive reinforcement of structural duality through accountability artefacts. An internal audit’s role as an organisational integrator does not merely add technical rigour; it actively reshapes the conditions under which power and legitimacy operate. By evidencing breaches, linking them to specification clauses and budget lines, and embedding a comply-or-explain cadence, an audit transforms climate governance from a symbolic exercise into a structured negotiation of authority. In Dillard et al. [14]’s terms, this demonstrates how domination structures—previously privileging discretionary resource allocation—are recalibrated through artefacts that make inaction visible, priced, and reputationally consequential. The CFO’s observation that resilience has become “a line item” underscores this shift: rationality moves from ceremonial compliance toward calculative accountability, confirming the model’s argument that institutionalisation is enacted through reflexive monitoring and the materialisation of norms into routinised practices that constrain and enable agency simultaneously.
Overall, the empirical evidence demonstrates that climate-risk governance within YSF is characterised by a persistent tension between symbolic compliance and substantive embedding. At the political–economic level, national strategies and disclosure mandates provide strong signification but fail to translate into binding thresholds and resource commitments, leaving resilience contingent on optics and fiscal cadence. At the field level, COSO ERM artefacts and IFRS S2 templates standardise language and reporting but lack enforcement mechanisms, resulting in procedural legitimacy rather than structural coupling. At the organisational level, an internal audit emerges as the most effective integrator—tracing risk signals to procurement clauses, enforcing data lineage, and introducing artefacts that convert climate thresholds into auditable obligations. Yet without codified appetites and delegated authority, these mechanisms remain partially institutionalised, producing incremental gains rather than systemic transformation. Collectively, the findings reveal that while governance frameworks and assurance practices are advancing, their capacity to reconfigure resource logic and embed resilience across Egypt’s smart-city portfolio depends on aligning meaning, norms, and power—a condition that remains emergent rather than fully achieved.

7. Discussion

The preceding empirical findings are distinctive in both scope and granularity: they document, with audit-traceable pathways, how climate risk moves (or fails to move) from operational signals to enforceable specifications, budget reallocations, and disclosure credibility within a state-owned smart-city enterprise. This end-to-end tracing across coastal works, water networks, district cooling, mobility, and the city-scale data centre reveals a structured decoupling between strong signification—exhibited in hazard taxonomies, velocity and interconnectivity fields, and scenario registers—and weak legitimation and authorisation at the operational points of failure that ultimately determine resilience. That decoupling is well theorised, yet rarely demonstrated with artefacts that link sensor alerts to procurement clauses and spend movement; by converting thresholds into rule-bearing, costed obligations, the case operationalises Dillard et al. [14]’s multilevel model and shows how institutional alignment can be forced, rather than merely hoped for, through the materiality of control and cadence. In contrast to descriptive accounts of ERM adoption in public entities [10] and high-level resilience mandates [3], the evidence here reveals the micro-mechanics that make resilience binding: threshold-to-spec tables, change-control logs, scored climate gates in procurement, quarterly certifications, and testable data lineage under COSO ICSR—each artefact stitching climate signification to decisions and resource flows [1,2,31].
This contribution advances the ERM/assurance literature by demonstrating that COSO ERM’s portfolio view becomes decision-useful only when paired with investor-grade control mechanics that prescribe “what must happen” when a scenario gate is breached [2,31]. The unique element is the codified escalation from climate thresholds to mandatory specification changes and budget movement, evidenced through routinised workflows and committee logs. Prior work has underscored the prevalence of symbolic climate integration and uneven ESG assurance maturity in public bodies [12,13,34]; the present findings go further by specifying a governance cycle—assessment, certification, audit verification, resource dockets, and re-testing—that converts compliance artefacts into enforceable obligations. This closes a persistent practice gap in emerging-economy SOEs, where climate is often narrated in registers and disclosures but seldom embedded in procurement and O&M standards at cadence [10,13,58,59]. Recent research further supports the need for audit-enabled enforcement mechanisms by demonstrating how COSO-aligned internal control indicators, when evaluated through statistical and machine learning techniques, can transform governance gaps into enforceable, evidence-based decision processes [59].
The smart-city governance literature has long emphasised collaboration, portfolio logic, and the interplay of technology, people, and institutions [6,7,8]. The findings here add a distinctive layer: portfolio logic remains ceremonial unless thresholds are hard-wired into design clauses and spend envelopes, a pattern consistent with recent evidence showing that governance frameworks become effective only when internal-control signals are translated into enforceable, auditable actions through COSO-aligned mechanisms [59]. Examples across domains—surge tolerances translating into fastening specifications and funded procurement, thermal derating rewriting acceptance tests in cooling plants, leakage thresholds triggering SCADA-supported work orders and OPEX releases, and uptime tiers matched with enabling network upgrades—show how the digital layer, through dashboards and alerts, becomes a governance artefact that conditions investment rather than merely an informational display [3,25,36]. In this sense, resilience is institutionalised by calculative artefacts—scored climate gates, before/after clauses, costed decision packages—that embed climate priorities into the formal calculus of portfolio performance, addressing a gap noted in prior work where dashboards and heatmaps stabilised legitimacy but rarely reweighted CAPEX/OPEX [8,10].
Theoretically, the case extends Dillard et al. [14] in four ways. First, it evidences institutional layering: new ICSR workflows and S2 reconciliations coexist with legacy norms yet incrementally shift decision rationality from optics to allocative accountability [1,2,14]. Second, it demonstrates temporal structuring as a mechanism of coupling: a quarterly cadence of threshold assessment, certification, audit verification, and committee review constrains deferral and makes inaction reputationally and financially salient in the next cycle, thereby materialising the duality of structure [14,15]. Third, it foregrounds calculative artefacts as instruments of authority redistribution: costed resilience notes and scored procurement gates compel boards to choose between budgeted futures rather than narrative reassurance, reconfiguring domination structures through the economics of non-action [14,46]. Fourth, it introduces a crisis-driven recursion pathway: repeated and priced breaches that remain visible in committee packs push risk-appetite codification upward and delegation outward, enabling organisational innovations—such as threshold-to-specification tables and resilience-change logs—to influence field-level criteria and, ultimately, macro-level resource logics [14,34]. This multi-facet extension enriches the model’s explanatory power in contested public infrastructures, where climate governance is enacted through artefacts and cadence rather than linear diffusion of standards [16,45].
Empirically, the case is unusual in context and completeness. It is situated within a NUCA-governed smart-city portfolio—coastal, water, energy/district cooling, mobility, and data centre—where occupancy gaps, governance frictions, and fiscal constraints complicate claims of resilience [40,44]. The findings provide rare, audit-traceable demonstrations of how thresholds become binding across assets, a level of operational detail largely absent from published SOE cases in emerging economies [10,13]. The articulation of compliance conditions—ICSR-grade lineage, threshold tables with named owners and pre-authorised spend, change logs in tender files, and S2 reconciliations to operational sources—offers a replicable template that moves climate assurance from persuasive narrative to dispositive governance action [1,2]. Importantly, the approach recognises equity and service continuity considerations—e.g., protecting water pressure and cooling during heat periods—linking resilience to public-value outcomes flagged in energy and demand-response research [25,26,28].
The findings highlight that the audit-enabled pathway addresses not only the detection of climate-risk signals but the persistent gap in their conversion into enforceable action. Technology-centric approaches, including AI-based monitoring and predictive analytics, can improve the speed, accuracy, and granularity of hazard detection; however, such tools do not, on their own, confer authority to amend specifications, mobilise O&M releases, or reweight budgets [3,25]. Market-based mechanisms—such as insurance and risk-transfer instruments—help price exposure and shape incentives, yet they operate largely ex-post, without ensuring that thresholds trigger binding operational changes. The case indicates that the comparative value of the audit-centred approach lies in providing an organisational enforcement spine through COSO ERM/ICSR artefacts, codified escalation routes, and audit committee visibility, ensuring that climate-scenario breaches become ‘documented’, ‘budgeted’, and ‘auditable’ obligations. In contexts with strong AI infrastructure or mature insurance markets, complementarity rather than substitution is expected [1,2,14]: analytics strengthen the quality of signals, insurance sharpens incentives, and audit-enabled governance ensures that both translate into concrete, enforceable change. The case also illustrates that COCDC/SCADA dashboards function primarily as warning systems, enhancing detection and situational awareness but not guaranteeing specification amendments, budget reallocations, or O&M mobilisation in the absence of codified thresholds and delegated authority [6,7,8]. The audit-enabled pathway fills this implementation gap by linking climate thresholds to codified escalation routes, evidence-tested controls, and board-visible accountability, converting sensor data into enforceable design and budgeting inputs. This positions technology-rich monitoring and audit-centred governance as complementary rather than competing mechanisms.
Finally, the findings delineate boundary conditions and implications for policy and practice. An internal audit does not legislate appetite; it makes appetite unavoidable by evidencing breaches, tying them to specification clauses and budget lines, conditioning disclosure credibility on proof of change, and sustaining a comply-or-explain cadence that returns priced deferrals to the agenda until resolved [1,12]. For NUCA-led portfolios, codifying resilience appetites per asset class, delegating spend ranges to named owners, and requiring ICSR-grade evidence for tender and O&M amendments are the levers that turn assurance into governance [2,31]. The unique theoretical and empirical contribution, therefore, lies in showing how climate thresholds are institutionalised through artefact-driven, time-bound assurance, aligning meaning, norms, and power in an emerging-economy smart-city context where visibility and fiscal cadence often dominate the resilience calculus [3,44].
The observation window captures enforceability inputs and near-term, auditable outputs—amended specifications and acceptance tests, O&M work orders, CAPEX/OPEX reweighting, and IFRS S2-aligned reconciliation entries—rather than long-run engineering performance. Demonstrating durable resilience effects requires tracking lagging indicators (e.g., sustained reductions in outage duration and failure rates; leakage performance on priority mains; thermal-derating pass rates for district-cooling and ICT equipment; coastal overtopping tolerance; heat-related service-level interruptions) across multiple seasonal cycles. A forward evaluation plan envisages multi-season observation with pre/post-comparisons against specification baselines and matched-asset or difference-in-differences designs where asset cohorts permit. This distinction between enforceability evidence in the near term and resilience outcomes over longer horizons clarifies what the present case can show now and how longer-run impacts will be assessed.

8. Conclusions

This study set out to examine how an internal audit can be leveraged as a strategic assurance mechanism to embed climate-risk governance within a state-owned smart-city enterprise in Egypt. It was guided by the following overarching research question: How can an internal audit make COSO ERM signals and IFRS S2 requirements enforceable at the level of technical specifications, budgets, and operational routines in a state-owned smart-city enterprise? This central question was explored through two interrelated questions: How does an internal audit translate COSO ERM climate thresholds into binding specification amendments and budget reallocations across climate-critical assets? How does an internal audit strengthen the credibility of IFRS S2 disclosures by linking reported metrics and targets to verifiable operational changes through COSO ICSR data lineage and control workflows? These questions framed the analysis, anchored in Dillard et al. [14]’s multilevel institutional model, which explains the recursive interplay of signification, legitimation, and domination structures in shaping organisational practices. This theoretical lens was operationalised through the AECGSC framework, integrating COSO ERM, COSO ICSR, and ISSB S2 principles into a governance architecture tailored for smart-city contexts. Methodologically, this study adopted an interpretive case design, combining twenty semi-structured interviews, extensive document analysis, and structured observations, supported by iterative coding, triangulation, and member checking. This approach responds to critical gaps in the literature: the absence of empirical evidence on how ERM and internal audit jointly operationalise climate scenarios in SOEs, the weak coupling of disclosure mandates with enforceable controls, and the scarcity of emerging-economy cases that demonstrate end-to-end traceability from hazard signals to specification changes and budget reallocations.
The findings reveal a persistent misalignment between strong national signification of resilience and weak legitimation and resource authority at the operational points that determine continuity in smart-city systems. ERM artefacts—risk registers, heatmaps, and disclosure drafts—are present but lack binding thresholds, delegated decision rights, and pre-authorised spend that would compel changes to procurement specifications and O&M regimes across climate-critical assets such as coastal defences, water networks, district cooling, mobility systems, and the datacentre backbone. Resource allocation remains dominated by visibility and fiscal cadence, privileging symbolic infrastructure over systemic vulnerability mitigation. The internal audit emerges as the most effective integrator, tracing climate signals from operational alerts through ERM registers and ICSR control tables to procurement clauses and budget entries. Mechanisms such as threshold-to-spec workflows, scored climate gates in tenders, quarterly certifications, and reconciled data lineage convert climate risk from narrative compliance into costed obligations. However, these mechanisms remain partially institutionalised and contingent on board-level codification of resilience appetites and delegated authority, underscoring the recursive nature of institutionalisation theorised by Dillard et al. [14].
The implications of these findings are twofold. From a practical perspective, boards and audit committees must institutionalise resilience by codifying asset-specific thresholds, assigning escalation authorities, and embedding COSO ICSR-grade controls that make action nondiscretionary when scenario gates are breached. Operational dashboards should function as design inputs, linking hazard metrics to procurement scoring and maintenance release rules, thereby transforming real-time alerts into enforceable governance artefacts. These steps would move climate governance from ceremonial compliance toward substantive embedding, ensuring that resilience is not only documented but delivered. From a social perspective, governance reforms must incorporate equity and health safeguards—such as continuity floors for water and cooling during heat events—to protect vulnerable populations, particularly under dynamic pricing regimes and heat stress conditions. Transparent deferral logs and compliance cycles should make resilience decisions visible and accountable, reinforcing public trust in smart-city programmes and aligning climate governance with broader societal values of fairness and service continuity. Disclosure credibility under IFRS S2 depends on audit-traceable lineage from reported metrics to the operational changes they justify; without this, organisations risk reputational and regulatory exposure. In contrast to technology-centric approaches that improve signals and market-centric mechanisms that shape incentives, the audit-centred pathway provides the enforceability spine that makes climate thresholds operationally binding at the points of design, procurement, and O&M.
The contribution to sustainability accounting, management, and policy lies in demonstrating an audit-enabled governance architecture that couples COSO ERM’s portfolio logic with COSO ICSR’s control mechanics under ISSB S2. By evidencing how calculative artefacts—threshold tables, procurement gates, costed decision packages—realign meaning, norms, and power, this study extends institutional theory and offers a replicable template for converting climate strategy into auditable reality. This framework provides actionable guidance for managers and policymakers seeking to embed resilience in smart-city programmes under resource constraints and rising disclosure demands. It also advances the literature by showing, with audit-traceable granularity, how governance artefacts and temporal routines—such as quarterly comply-or-explain cycles—materialise the duality of structure, redistributing authority and constraining discretionary deferral. In doing so, this study demonstrates that climate governance in public infrastructures is enacted through artefacts and cadence rather than through linear diffusion of global standards.
Some limitations must be acknowledged. The single-case design constrains generalisability, and the bounded temporal horizon limits assessment of long-term resilience outcomes and equity impacts. While the mechanisms identified are portable, their effects will vary with political–economic logics, regulatory regimes, and organisational capacities. Future research should pursue comparative studies across SOEs and municipal authorities, integrate quantitative evaluations of continuity and cost-effectiveness, and examine supervisory audit interfaces and citizen-level equity. Design-science approaches could prototype full ICSR implementations and trace causal pathways from threshold activation to portfolio reweighting and disclosure credibility over multiple budget cycles. While the study evidences enforceability through near-term specification changes, budget movements, and disclosure reconciliation, the longer-term resilience effects of these adjustments will require multi-season evaluation using engineering and service-continuity metrics. Such extensions would deepen our understanding of how audit-enabled governance institutionalises climate resilience as a routine, accountable practice in smart-city systems, moving beyond symbolic compliance toward substantive embedding.

Author Contributions

Conceptualization, L.A.Z.A.A. and M.A.A.; Methodology, L.A.Z.A.A.; Validation, L.A.Z.A.A.; Formal Analysis, L.A.Z.A.A.; Investigation, L.A.Z.A.A.; Resources, L.A.Z.A.A. and M.A.A.; Data Curation, L.A.Z.A.A.; Writing—Original Draft, L.A.Z.A.A.; Writing—Review and Editing, L.A.Z.A.A. and M.A.A.; Visualization, L.A.Z.A.A.; Supervision, L.A.Z.A.A.; Project Administration, L.A.Z.A.A. and M.A.A.; Funding Acquisition, M.A.A. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Deanship of Postgraduate Studies and Scientific Research at Majmaah University (project number R-2026-137), and the authors extend their appreciation for the support.

Institutional Review Board Statement

This study is waived for ethical review as it is non-interventional social science research without vulnerable populations or sensitive data, exempted under Beni-Suef University’s Charter of Ethics and Office for Ethical Compliance in accordance with Egyptian Universities Organisation Law No. 49/1972, by Beni-Suef University Committee.

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding authors.

Acknowledgments

The authors thank the anonymous reviewers, academic editor, and managing editor for their valuable feedback and support throughout the editorial process.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this article:
AECGSCAudit-Enabled Climate Governance for Smart Cities
CAPEXCapital Expenditure
CFOChief Financial Officer
COCDCCommand Operations Control Data Centre
COSOCommittee of Sponsoring Organizations of the Treadway Commission
DOEU.S. Department of Energy
ERMEnterprise Risk Management
ERPEnterprise Resource Planning
ESGEnvironmental, Social, and Governance
HSEHealth, Safety and Environment
HVACHeating, Ventilation, and Air Conditioning
ICTInformation and Communications Technology
ICSRInternal Control over Sustainability Reporting
IFRS S2International Financial Reporting Standard S2 (Climate-Related Disclosures)
INTOSAIInternational Organization of Supreme Audit Institutions
ISSBInternational Sustainability Standards Board
KPIsKey Performance Indicators
NCCSNational Climate Change Strategy
NDCNationally Determined Contribution
NGFSNetwork for Greening the Financial System
NUCANew Urban Communities Authority
O&MOperations and Maintenance
OPEXOperating Expenditure
SAIsSupreme Audit Institutions
SCADASupervisory Control and Data Acquisition
SOEState-Owned Enterprise
TCFDTask Force on Climate-related Financial Disclosures
WBCSDWorld Business Council for Sustainable Development
WGEAWorking Group on Environmental Auditing

Appendix A

Table A1. Informed consent form.
Table A1. Informed consent form.
SectionDetails
Study titleReframing Climate Governance: How an Internal Audit Makes Smart-City Resilience Enforceable in an Egyptian State-Owned Enterprise
ResearchersLoai Ali Zeenalabden Ali Alsaid, Department of Accounting, Faculty of Commerce, Beni-Suef University, Egypt—loai.ali@commerce.bsu.edu.eg
Muhannad Abdulaziz Alyousef, Department of Accounting, College of Business Administration, Majmaah University, Saudi Arabia—m.alyosef@mu.edu.sa
Purpose of the studyYou are invited to participate in a research project that seeks to understand how climate-related risks are governed within Egypt’s smart-city initiatives and how an internal audit contributes to translating climate scenarios into operational, technical, and reporting decisions. The study follows a non-interventional, interpretive approach involving professional interviews to gain insight into governance practices, risk-management routines, and internal audit processes. Your participation will help the researchers develop a more comprehensive understanding of how climate-risk frameworks are implemented in practice across public-sector and smart-city settings.
Why you have been invitedYou have been approached because your professional role provides relevant knowledge or experience concerning climate-risk governance, sustainability reporting, smart-city operations, internal audits, or related organisational processes. Your participation is sought purely for academic purposes, and it carries no implications for your employment status, performance evaluation, or organisational responsibilities. Your insight is valuable because it reflects practical expertise rather than personal or sensitive information.
What participation involvesIf you agree to participate, you will take part in a semi-structured interview lasting approximately 30 to 120 min. The discussion will focus solely on professional practices and organisational routines related to climate-risk management and audit processes. With your permission, the interview may be audio-recorded so the researchers can accurately reflect your contribution during analysis. You may choose not to answer any question, and you may request a pause or clarification at any point during the interview. After the interview, the researchers may contact you briefly if necessary to clarify any points to ensure that your views are represented accurately.
Voluntary participation and right to withdrawParticipation in this study is entirely voluntary. You have the right to decline participation and the right to withdraw at any time prior to the anonymisation of your interview data. If you decide to withdraw, no reason is required, and your decision will carry no negative consequences. Once the data are anonymised and integrated into aggregated findings, withdrawal may no longer be possible because your identity will not be traceable within the dataset.
Confidentiality and data handlingAll information you provide will be treated in strict confidence. Your name, job title, organisation, and any potential identifiers will be removed during transcription and analysis. The anonymised data will be stored securely and accessed only by the research team. Your contribution will appear in publications only in aggregated, non-identifiable form, and quotations will be paraphrased or generalised when necessary to ensure anonymity. No information that could permit identification will be shared with employers, colleagues, or third parties. The study complies with the ethical exemption criteria applicable to non-interventional social-science research involving professionals under Beni-Suef University’s Charter of Ethics.
Potential risks and benefitsParticipation in this study carries no foreseeable risks, as the interview will focus exclusively on professional practices rather than personal or sensitive matters. You will not be asked to disclose confidential organisational data beyond what you feel is appropriate within your professional discretion. Although you may not receive direct personal benefit from taking part, your insights will support the development of academic knowledge on climate-risk governance, contribute to methodological improvements in internal audit and sustainability reporting, and assist in shaping practical governance recommendations relevant to public-sector entities and smart-city initiatives.
Use of information and publicationThe anonymised information you provide will be used exclusively for academic purposes. The findings may be included in peer-reviewed journal articles, academic presentations, teaching materials, and related scholarly outputs. No publications arising from this study will contain any information that could directly or indirectly identify you. The research team is committed to ensuring that all reporting is accurate, responsible, and consistent with international ethical standards.
Contact
information		If you have any questions about your participation, the study procedures, or your rights as a participant, you may contact either of the researchers by email. You may also request additional clarification at any point before, during, or after the interview. The researchers will respond promptly to ensure your comfort and understanding throughout the process.
Participant consent statementBy signing below, I confirm that I have read and understood the information contained in this form. I acknowledge that I have had the opportunity to ask questions, that participation is voluntary, and that I may withdraw at any time prior to data anonymisation. I agree to participate in the study under the conditions described.
Participant name: _____________________________________________
Signature: _____________________________________________________
Date: _________________________________________________________
Researchers’ confirmationWe confirm that we have explained the purpose and procedures of the study to the participant and have addressed all questions raised. We affirm that the participant was given sufficient information to make an informed and voluntary decision regarding participation.
Researcher 1 name: _____________________________________________
Signature: _____________________________________________________
Date: _________________________________________________________
Researcher 2 name: _____________________________________________
Signature: _____________________________________________________
Date: _________________________________________________________

References

  1. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Achieving Effective Internal Control over Sustainability Reporting (ICSR). 2023. Available online: https://www.imanet.org/research-publications/ima-reports/coso (accessed on 12 November 2025).
  2. International Financial Reporting Standards (IFRS) Foundation. IFRS S2: Climate-Related Disclosures. 2023. Available online: https://www.ifrs.org/issued-standards/ifrs-sustainability-standards-navigator/ifrs-s2-climate-related-disclosures/ (accessed on 31 August 2025).
  3. World Bank. Climate Risk Country Profile: Egypt; World Bank Group: Washington, DC, USA, 2021; Available online: https://climateknowledgeportal.worldbank.org/sites/default/files/2021-04/15723-WB_Egypt%20Country%20Profile-WEB-2_0.pdf (accessed on 31 August 2025).
  4. Intergovernmental Panel on Climate Change (IPCC). Climate Change 2023: Synthesis Report; Contribution of Working Groups I, II and III to the Sixth Assessment Report of the Intergovernmental Panel on Climate Change; Lee, H., Romero, J., Eds.; IPCC: Geneva, Switzerland, 2023. [Google Scholar] [CrossRef]
  5. Egypt—Ministry of Planning and Economic Development (MPED). Egypt Vision 2030. 2025. Available online: https://mped.gov.eg/DynamicPage?id=115&lang=en (accessed on 15 October 2025).
  6. Nam, T.; Pardo, T.A. Conceptualizing smart city with dimensions of technology, people, and institutions. In Proceedings of the 12th Annual International Digital Government Research Conference: Digital Government Innovation in Challenging Times; ACM: New York, NY, USA, 2011; pp. 282–291. [Google Scholar] [CrossRef]
  7. Batty, M.; Axhausen, K.W.; Giannotti, F.; Pozdnoukhov, A.; Bazzani, A.; Wachowicz, M.; Ouzounis, G.; Portugali, Y. Smart cities of the future. Eur. Phys. J. Spec. Top. 2012, 214, 481–518. [Google Scholar] [CrossRef]
  8. Meijer, A.; Rodríguez Bolívar, M.P. Governing the smart city: A review of the literature on smart urban governance. Int. Rev. Adm. Sci. 2016, 82, 392–408. [Google Scholar] [CrossRef]
  9. Khan, K.D.; Guo, X.; Khan, T.; Saeed, M. Risk management strategies and climate change adoption policy: A global literature review using bibliometric analysis. Nat. Hazards 2025, 121, 10601–10622. [Google Scholar] [CrossRef]
  10. Anton, S.G.; Nucu, A.E.A. Enterprise risk management: A literature review and agenda for future research. J. Risk Financ. Manag. 2020, 13, 281. [Google Scholar] [CrossRef]
  11. Institute of Internal Auditors (IIA). Internal Audit’s Role in ESG Reporting (White Paper). 2021. Available online: https://www.theiia.org/globalassets/documents/communications/2021/june/white-paper-internal-audits-role-in-esg-reporting.pdf (accessed on 6 October 2025).
  12. Institute of Internal Auditors (IIA). Global Internal Audit Standards and Guidance—Including Climate-Risk Considerations. 2023. Available online: https://www.theiia.org/en/standards/ (accessed on 6 October 2025).
  13. International Organization of Supreme Audit Institutions (INTOSAI); Working Group on Environmental Auditing (WGEA). Guidance on Environmental and Climate Adaptation Auditing. 2025. Available online: https://www.intosai.org (accessed on 31 August 2025).
  14. Dillard, J.F.; Rigsby, J.T.; Goodman, C. The making and remaking of organization context: Duality and the institutionalization process. Account. Audit. Account. J. 2004, 17, 506–542. [Google Scholar] [CrossRef]
  15. Giddens, A. The Constitution of Society: Outline of the Theory of Structuration; University of California Press: Berkeley, CA, USA, 1984. [Google Scholar]
  16. Scott, W.R. Institutions and Organizations; Sage Publications: Thousand Oaks, CA, USA, 1995. [Google Scholar]
  17. Burns, J.; Scapens, R.W. Conceptualizing management accounting change: An institutional framework. Manag. Account. Res. 2000, 11, 3–25. [Google Scholar] [CrossRef]
  18. Alawattage, C.; Alsaid, L.A. Accounting and structural reforms: A case study of Egyptian electricity. Crit. Perspect. Account. 2018, 50, 15–35. [Google Scholar] [CrossRef]
  19. Alsaid, L.A.Z.A. Performance measurement in smart city governance: A case study of an Egyptian city council. J. Account. Emerg. Econ. 2021, 11, 395–430. [Google Scholar] [CrossRef]
  20. Alsaid, L.A.Z.A. Smart city dynamics and multi-level management accounting: Unfolding a case of sustainable enterprise resource planning. Sustain. Account. Manag. Policy J. 2022, 13, 30–54. [Google Scholar] [CrossRef]
  21. Yin, R.K. Case Study Research and Applications: Design and Methods, 6th ed.; SAGE Publications: Thousand Oaks, CA, USA, 2018. [Google Scholar]
  22. Lincoln, Y.S.; Guba, E.G. Naturalistic Inquiry; SAGE Publications: Beverly Hills, CA, USA, 1985. [Google Scholar]
  23. Miles, M.B.; Huberman, A.M.; Saldaña, J. Qualitative Data Analysis: A Methods Sourcebook, 3rd ed.; SAGE Publications: Thousand Oaks, CA, USA, 2014. [Google Scholar]
  24. Egyptian National Determined Contribution (NDC). Egypt’s Updated Nationally Determined Contribution; Ministry of Environment, Arab Republic of Egypt: Cairo, Egypt, 2022; Available online: https://unfccc.int/sites/default/files/NDC/2022-07/Egypt%20Updated%20NDC.pdf.pdf (accessed on 12 November 2025).
  25. U.S. Department of Energy (DOE). 2024 Smart Grid System Report; U.S. Department of Energy: Washington, DC, USA, 2024. Available online: https://www.energy.gov/sites/default/files/2024-02/2024%20Smart%20Grid%20System%20Report_untagged.pdf (accessed on 31 August 2025).
  26. Faruqui, A.; Sergici, S. Household response to dynamic pricing of electricity: A survey of 15 experiments. J. Regul. Econ. 2010, 38, 193–225. [Google Scholar] [CrossRef]
  27. Kim, S.; Kim, D. Climate change and cooling equity: Spatial dynamics of vulnerable populations. Growth Change 2024, 55, e12701. [Google Scholar] [CrossRef]
  28. Humes, H.; Farrell, N. The equity and efficiency effects of energy subsidy cost-recovery. J. Econ. Inequal. 2025, 23, 1309–1335. [Google Scholar] [CrossRef]
  29. World Economic Forum. The Global Risks Report 2024; World Economic Forum: Geneva, Switzerland, 2024; Available online: https://www.weforum.org/publications/global-risks-report-2024/ (accessed on 12 November 2025).
  30. Carney, M. Breaking the Tragedy of the Horizon: Climate Change and Financial Stability; Speech Given at Lloyd’s of London; Bank of England: London, UK, 2015; Available online: https://www.bankofengland.co.uk/speech/2015/breaking-the-tragedy-of-the-horizon-climate-change-and-financial-stability (accessed on 15 October 2025).
  31. Committee of Sponsoring Organizations of the Treadway Commission & World Business Council for Sustainable Development (COSO–WBCSD). Enterprise Risk Management: Applying Enterprise Risk Management to Environmental, Social and Governance-Related Risks. 2018. Available online: https://docs.wbcsd.org/2018/10/COSO_WBCSD_ESGERM_Guidance.pdf (accessed on 12 November 2025).
  32. Gleißner, W.; Berger, T.B. Enterprise risk management: Improving embedded risk management and risk governance. Risks 2024, 12, 196. [Google Scholar] [CrossRef]
  33. Ahmed, I.; Basit, A.; Ahmad, M.; AlMuhaini, M.; Khalid, M. Electric mobility challenges and approaches for sustainable green power synergy in smart cities. Arab. J. Sci. Eng. 2024, 50, 5323–5351. [Google Scholar] [CrossRef]
  34. Government Accountability Office (GAO). Climate Resilience: Opportunities to Improve Federal Planning and Implementation (GAO-22-105688). 2022. Available online: https://www.gao.gov/assets/gao-22-105688.pdf (accessed on 1 December 2025).
  35. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrating with Strategy and Performance. 2017. Available online: https://alacommunity.org/wp-content/uploads/2024/12/03.COSO_.ERM_.Integrating-with-Strategy-and-Performance.Executive-Summary.2017.pdf (accessed on 12 November 2025).
  36. National Renewable Energy Laboratory & Pacific Northwest National Laboratory (NREL/PNNL) Briefing. Status of Power System Transformation: Leading Topics of 2024. 2024. Available online: https://www.nrel.gov/docs/fy24osti/91357.pdf (accessed on 12 November 2025).
  37. PJM Interconnection. 2025 Demand Response Operations Markets Activity Report. 2025. Available online: https://www.pjm.com/-/media/DotCom/markets-ops/dsr/2025-demand-response-activity-report.pdf (accessed on 6 October 2025).
  38. Energy Systems Integration Group (ESIG). Gaps, Barriers, and Solutions to Demand Response Participation in Wholesale Markets. 2025. Available online: https://www.esig.energy (accessed on 1 December 2025).
  39. Office of Scientific and Technical Information (OSTI). Analysis of Dynamic Tariff Policies and Consumer Adoption; U.S. Department of Energy: Washington, DC, USA, 2025. Available online: https://www.osti.gov/ (accessed on 12 December 2025).
  40. State Information Service (SIS). Egyptian Smart Cities Strategy. 2025. Available online: https://sis.gov.eg/en/media-center/strategies/egyptian-smart-cities-strategy/ (accessed on 14 September 2025).
  41. InvestGate. Giza Systems Wins COC Data Center Project in New Alamein City. 2024. Available online: https://invest-gate.me/news/giza-systems-wins-key-coc-data-center-project-in-new-alamein-city/ (accessed on 14 September 2025).
  42. InvestGate. Housing Ministry Advances Localization of Smart Water Meter Manufacturing in Egypt. 2025. Available online: https://invest-gate.me/news/housing-ministry-advances-localization-of-smart-water-meter-manufacturing-in-egypt/ (accessed on 14 September 2025).
  43. El Sayed, A. Egypt eyes smart solutions for water, sanitation in new cities. Amwal Al Ghad. 24 March 2025. Available online: https://en.amwalalghad.com/egypt-eyes-smart-solutions-for-water-sanitation-in-new-cities/ (accessed on 15 October 2025).
  44. Kadry, M.K.; Husain, H.R. What do Egypt’s new urban communities need to outperform? A strategic framework for equitable population redistribution. J. Contemp. Urban Aff. 2025, 9, 187–209. [Google Scholar] [CrossRef]
  45. DiMaggio, P.J.; Powell, W.W. The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields. Am. Sociol. Rev. 1983, 48, 147–160. [Google Scholar] [CrossRef]
  46. Weber, M. The Protestant Ethic and the Spirit of Capitalism; Scribner: New York, NY, USA, 1958. [Google Scholar]
  47. Weber, M. Economy and Society: An Outline of Interpretive Sociology; University of California Press: Berkeley, CA, USA, 1968. [Google Scholar]
  48. Public Utilities Board (PUB). Sustainability Report 2023: Building Our Water Future. 2023. Available online: https://www.pub.gov.sg/-/media/PUB/PDF/To-Publish-PUB-SR-23-Final.pdf (accessed on 6 October 2025).
  49. Masdar City. Masdar City 2024 ESG Report; Masdar City: Abu Dhabi, United Arab Emirates, 2024; Available online: https://masdarcity.ae/sustainable-urban-development/sustainability-reports (accessed on 12 December 2025).
  50. European Commission. Forging a Climate-Resilient Europe: The New EU Strategy on Adaptation to Climate Change (COM/2021/82 Final); European Commission: Brussels, Belgium, 2021. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021DC0082 (accessed on 1 December 2025).
  51. Kvale, S.; Brinkmann, S. InterViews: Learning the Craft of Qualitative Research Interviewing, 3rd ed.; SAGE Publications: Thousand Oaks, CA, USA, 2015. [Google Scholar]
  52. Patton, M.Q. Qualitative Research & Evaluation Methods: Integrating Theory and Practice, 4th ed.; SAGE Publications: Thousand Oaks, CA, USA, 2015. [Google Scholar]
  53. Bowen, G.A. Document analysis as a qualitative research method. Qual. Res. J. 2009, 9, 27–40. [Google Scholar] [CrossRef]
  54. Prior, L. Repositioning documents in social research: Textuality, knowledge and validity. Sociology 2008, 42, 821–836. [Google Scholar] [CrossRef]
  55. Spradley, J.P. Participant Observation; Holt, Rinehart and Winston: New York, NY, USA, 1980. [Google Scholar]
  56. Saldaña, J. The Coding Manual for Qualitative Researchers, 4th ed.; SAGE Publications: Thousand Oaks, CA, USA, 2021. [Google Scholar]
  57. Denzin, N.K. The Research Act: A Theoretical Introduction to Sociological Methods, 2nd ed.; McGraw-Hill: New York, NY, USA, 1978. [Google Scholar]
  58. Harper Ho, V. Climate disclosure line-drawing and securities regulation. UC Davis Law Rev. 2023, 56, 1877–1930. Available online: https://lawreview.law.ucdavis.edu/sites/g/files/dgvnsk15026/files/media/documents/56-5_Harper_Ho.pdf (accessed on 25 March 2026). [CrossRef]
  59. Lokanan, M. Can internal controls prevent fraud? Evaluating COSO with statistical and machine learning methods. Acad. AI Appl. 2026, 2, 1–22. [Google Scholar] [CrossRef]
Sustainability 18 03610 g001
Figure 1. COSO integrated risk-and-control framework aligned with IFRS S2 (Source: authors).
Figure 1. COSO integrated risk-and-control framework aligned with IFRS S2 (Source: authors).
Sustainability 18 03610 g001
Sustainability 18 03610 g002
Figure 2. AECGSC mind map: audit-enabled climate governance for smart cities (Source: authors).
Figure 2. AECGSC mind map: audit-enabled climate governance for smart cities (Source: authors).
Sustainability 18 03610 g002
Sustainability 18 03610 g003
Figure 3. Threshold-to-specification workflow for auditable climate-risk governance (Source: authors).
Figure 3. Threshold-to-specification workflow for auditable climate-risk governance (Source: authors).
Sustainability 18 03610 g003
Table 1. Interview protocol with alignment to institutional model, conceptual framework, and key findings.
Table 1. Interview protocol with alignment to institutional model, conceptual framework, and key findings.
Institutional Model [14]AECGSC Framework ComponentInterview Questions & PromptsKey Findings
Political–Economic LevelClimate-Risk Portfolio Mapped to Smart-City Asset ClassesQ1a: How do Egypt’s national climate strategies (e.g., NCCS 2050, NDC) shape YSF’s risk appetite and continuity thresholds for coastal, water, energy/district cooling, mobility, and data-centre assets?
Follow-up: Which assets receive priority, and on what public-value or resilience logic?
Q1b: How are CAPEX/OPEX allocations justified for climate adaptation and mitigation under NUCA’s governance?
Follow-up: What trade-offs occur between cost efficiency and resilience, and how are they documented?
Q1c: How do macro political–economic pressures (budget cycles, delivery targets) affect embedding climate risk in procurement and engineering standards?
Follow-up: What mechanisms reconcile short-term imperatives with long-term resilience goals?
National strategies set high-level resilience priorities but lack operational clarity.
Resource allocation often favours visible infrastructure over systemic risk mitigation.
Short-term delivery pressures dilute substantive embedding of climate risk.
These macro signals cascade into ERM codification and influence audit scoping.
Organisational–Field LevelCOSO ERM-enabled Climate-Risk Governance in Smart-City DeliveryQ2a: How do professional and regulatory directives specify ERM requirements for climate risk—including assessments of likelihood, severity, velocity, and interconnectivity—within YSF’s smart-city programmes?
Follow-up: How do these directives re-interpret national priorities into governance criteria and decision rights?
Q2b: What sector benchmarks guide scenario design and portfolio views across YSF asset classes?
Follow-up: How do benchmarks influence risk prioritisation and escalation to boards/committees?
Q2c: How is compliance with ERM principles enforced by field actors (regulators, audit committees), and how is alignment between ERM registers and strategic objectives evidenced?
Follow-up: What triggers revision cycles when misalignment or residual risk is detected?
ERM frameworks are formally adopted but unevenly operationalised.
Scenario analysis remains symbolic in some domains due to resource constraints.
Field-level codification translates macro priorities but lacks enforcement mechanisms.
Audit committees rely on ERM registers without verifying substantive integration.
Organisational LevelInternal Audit and Climate-Risk Assurance as an Integrative Mechanism in Smart-City GovernanceQ3a: How does an internal audit interface with ERM and reporting functions—including ICSR and IFRS S2—to strengthen climate governance at YSF?
Follow-up: In what ways do audit findings feedback to portfolio decisions and resource re-allocation?
Q3b: How are climate-critical programmes—such as coastal works, water, district cooling, smart metering, and data centres—prioritised within the audit universe and scoped on a risk-based basis?
Follow-up: What evidence standards—such as design effectiveness and operating effectiveness—substantiate decision-useful results?
Q3c: How do remediation actions close gaps between symbolic compliance and substantive embedding?
Follow-up: What feedback loops exist to track improvements and inform governance decisions?
Internal audit acts as the main integrator across ERM and disclosure but is resource-limited.
Assurance focuses on compliance rather than resilience outcomes.
Feedback loops exist but are informal, limiting systemic learning.
Audit findings rarely escalate to influence macro resource logic—closing the loop remains weak.
Source: authors.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Alsaid, L.A.Z.A.; Alyousef, M.A. Reframing Climate Governance: How an Internal Audit Makes Smart-City Resilience Enforceable in an Egyptian State-Owned Enterprise. Sustainability 2026, 18, 3610. https://doi.org/10.3390/su18073610

AMA Style

Alsaid LAZA, Alyousef MA. Reframing Climate Governance: How an Internal Audit Makes Smart-City Resilience Enforceable in an Egyptian State-Owned Enterprise. Sustainability. 2026; 18(7):3610. https://doi.org/10.3390/su18073610

Chicago/Turabian Style

Alsaid, Loai Ali Zeenalabden Ali, and Muhannad Abdulaziz Alyousef. 2026. "Reframing Climate Governance: How an Internal Audit Makes Smart-City Resilience Enforceable in an Egyptian State-Owned Enterprise" Sustainability 18, no. 7: 3610. https://doi.org/10.3390/su18073610

APA Style

Alsaid, L. A. Z. A., & Alyousef, M. A. (2026). Reframing Climate Governance: How an Internal Audit Makes Smart-City Resilience Enforceable in an Egyptian State-Owned Enterprise. Sustainability, 18(7), 3610. https://doi.org/10.3390/su18073610

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop