As part of the risk management function of a company, best practice suggests that internal auditors should report:

a. to the chief risk officer.
b. to the chief financial officer.
c. to a designated committee established by the board of directors.