The terms policy and procedure are often used interchangeably. The two types of information are also often mixed up in the same document, which doesn't help the reader understand the rules and practices of the organization.
Policies are the business rules and guidelines that are the basic operating principles of a business. Policy documents spell out those rules, focusing on general principles and the rationale behind them.
Procedures are the specific steps taken to accomplish a task. They spell out the who, what, when, and where in great detail. Procedures are the practical implementation of the abstract policy.
Here's an example of a bank's policy and procedures:
Policy: "We do not lose our customers' money because of carelessness or malfeasance."
Related Procedures: There will be a number of procedures for taking in and giving out money in a bank account. There will be other procedures for making sure that bank employees can't get their hands on the money. These procedures will detail who does what when, what computer systems and other records they use, and what controls make sure these procedures are properly carried out.
Keeping policies and procedures distinct, either in separate documents or separate sections of one document, gives your readers and your auditors a clear picture of how and why your business functions.