Why Document Control Matters in Regulated UK Organisations
Published 29 March 2026 · Last reviewed 15 March 2026
A CQC inspector asks to see your infection control policy. The practice manager opens the shared drive, finds three files named "IPC Policy," and is not sure which is current. One is dated 2023. One has "DRAFT" in the filename. One has no date at all.
That is a document control failure — and it happens in organisations of every size. The difference between a well-run organisation and one that scrambles before inspections often comes down to whether their documents are controlled or just stored.
Document Control vs. Document Storage
Document storage is putting files somewhere people can find them. Document control is knowing which version is current, who approved it, when it was last reviewed, and who has access to it.
The distinction matters because regulators do not ask "do you have policies?" — they ask "are your policies current, approved, and followed?" An organisation with 100 policies in a well-organised shared drive but no version control, no approval records, and no review schedule has document storage. It does not have document control.
What Regulators Actually Check
CQC (GP practices, dental practices)
Regulation 17 requires records that are "accurate, complete and contemporaneous." In practice, CQC inspectors look for:
- The current version of key policies (safeguarding, IPC, medicines management)
- Evidence that policies have been reviewed and approved — not just that they exist
- An audit trail showing when policies were updated and by whom
- Staff awareness — can team members find and describe the policies relevant to their role?
A policy with no review date, no approval record, or no evidence of staff awareness is a governance concern regardless of how well-written the content is.
Ofsted (schools)
Ofsted expects statutory policies to be current and accessible. The governing body must approve them, and certain policies must be published on the school website. Inspectors follow threads — they ask about safeguarding procedures and then check whether the safeguarding policy matches what staff describe.
Schools with poor document control often discover during inspection that their published website policies are outdated versions while the current version sits in a folder only the head teacher can access.
Charity Commission
The Charity Governance Code expects trustees to maintain oversight of policies. Outdated or unapproved policies are evidence of weak governance — and in serious cases, the Charity Commission can open a regulatory compliance case.
Internal and external audit (councils)
Parish and town councils are subject to annual audit. Auditors check that standing orders, financial regulations, and governance policies are current and have been formally adopted. An outdated financial regulation is an audit finding that appears in the annual report.
What Goes Wrong Without Document Control
Version confusion. Multiple copies of the same policy in different locations, with different dates. Staff follow the wrong version. Inspectors find contradictions between the version on the website and the version in the policy folder.
Missed reviews. Without a review schedule, policies silently expire. A policy due for annual review in September 2024 is still the "current" version in March 2026. Nobody noticed because nobody was tracking it.
No approval evidence. The policy was reviewed — someone updated it, saved it, and moved on. But there is no record of who approved the updated version. When an inspector asks, the answer is "I think the governing body discussed it," which is not evidence.
Orphaned policies. The person who owned a policy leaves the organisation. Nobody inherits it. The policy drifts, unreviewed, for years.
Inconsistency across sites. MATs, GP practice groups, and multi-site charities often have different versions of the same policy at different locations. Without central document control, consistency is impossible.
The Five Pillars of Document Control
Effective document control for a regulated organisation covers five areas:
1. Version Management
Every policy has a version number, a date, and a clear indicator of which version is current. Previous versions are archived, not deleted — regulators may need to see what a policy said at a specific point in time.
2. Approval Records
Every policy has a formal approval — who approved it, when, and which version. For schools, this means governing body minutes. For GP practices, partner or practice manager sign-off. For charities, trustee approval.
3. Review Scheduling
Every policy has a defined review frequency and a scheduled next review date. Someone is responsible for each policy, and reminders go out before the deadline.
4. Distribution and Access
Staff know where to find current policies and can access them when needed. For critical policies like safeguarding and data protection, there is evidence that staff have read and understood them.
5. Audit Trail
Every action on a policy — creation, review, approval, distribution — is recorded. This is what you show an inspector, auditor, or governing body to prove your document control works.
Practical Steps to Improve Document Control
For organisations currently using shared drives
- Audit your policy folder. List every policy document, its date, and its owner. Delete or archive duplicates, drafts, and superseded versions.
- Create a policy register. Use our free Policy Register Template to build a structured register with owners, review dates, and version numbers.
- Set review dates. Use our Policy Review Schedule Generator to calculate review dates and export them to your calendar.
- Establish naming conventions. "Safeguarding Policy v3.0 - Approved 2026-01-15" is findable. "safeguarding policy FINAL (2).docx" is not.
- Record approvals separately. Do not rely on document footers — maintain a register or minutes that record approval dates and approvers.
For organisations ready to move beyond spreadsheets
A purpose-built policy management system automates version control, reminders, approvals, and audit trails. For an overview of what to look for, see our buyer's guide to policy management software.
Document Control is Not a Filing Task
The most common mistake is treating document control as administration — something the office manager does when they have time. In reality, document control is a governance function. It is how you prove to your regulator that your organisation is well-managed, that your policies are current, and that your staff follow documented procedures.
For organisations subject to CQC, Ofsted, Charity Commission, or audit scrutiny, document control is not optional. It is the evidence base for your governance.
PolicyBoard is designed to automate the document control functions that matter most for regulated UK organisations — version tracking, automated review reminders, approval workflows, and a compliance dashboard. Join the waitlist to be notified when it launches.
This article covers general principles of document control for UK regulated organisations. It is not legal advice.
Stop tracking policy reviews in spreadsheets
PolicyBoard automates review reminders, approval workflows, and compliance dashboards for UK regulated organisations.
Related articles
Control of Documentation: A UK Compliance Guide Beyond ISO
Document control for UK regulated organisations — what CQC, Ofsted, and the Charity Commission expect, how it differs from ISO quality management, and how to get it right.
Policy Lifecycle Management: From Creation to Retirement
The six stages of policy lifecycle management for UK schools, GP practices, charities, and councils — from drafting through approval, distribution, review, and retirement.
Policy Document Management Software: What Small UK Organisations Actually Need
Most policy management software is built for enterprises. Here is what small UK schools, GP practices, charities, and councils actually need — and what they can skip.