Does anyone have an effective 2nd line function within their IT organization? I am looking for a good example, including details such as their responsibilities, whether they perform or at least collaborate on an IT risk assessment, whether they do testing of the control environment, the size of the function relative to the overall IT organization, and their interaction with internal audit. Also, are these professionals fully devoted to their 2nd line role or is it just a part of their overall responsibilities?

I work for a smaller organization; however, I do have the equivalent of a Business Analyst on my Finance/Systems team that works closely with IT. The BA creates and delivers the business use cases and the narratives needed by the QAs and dev teams and also focusses on testing prior to every deployment or system upgrade. We slowly rolled out the business BAs to report to the business units whereas before they reported to IT. A slower process than I would like it to be (IT reluctant to relinquish control) but one that is paying dividends.

We have an IT Risk team that rolls up under our CISO.  They primarily consult with IT, and the business, providing guidance on IT risks and controls.  They do not perform any testing of control effectiveness.  They do help coordinate our numerous external audits, and also serve as a resource to assist with internal audit coordination when needed.   This team is a bit larger then our IT audit team - four resources vs. audit's 2.5.  

IA interfaces with this team regularly.  We share information and do a lot of pressure testing of ideas and potential approaches to risks and issues.