When planning the work program for an assurance engagement, an internal auditor should first review the department's business objectives and then identify risks. This is because understanding the risks associated with failing to achieve business objectives is crucial for developing an effective audit plan. Identifying and assessing risks will guide the auditor in determining the scope and focus of the engagement, which will subsequently influence the review of controls and evaluation of vulnerabilities.