Privacy International, which has been engaged in legal challenges over GCHQ spying for the past few years, has obtained an oversight document as a result of its litigation. What they show is the agency's broad hacking powers and the reluctance of its oversight to condone these actions.
The Commissioner of the Intelligence Services was slow to respond to hacking. Many of the concerns the Commissioner raised in his 2014 report [published July 2015] are the subject of PI's legal complaint, including whether it is lawful to use broad "thematic warrants" to justify the hacking of people in the UK. The Commissioner questioned this practice in depth. He was concerned that current law "does not expressly allow for a class of authorisation", and therefore the warrants were too broad. As a result, the Commissioner was worried that the Secretary of State was unable to properly assess whether the warrant authorised activity was necessary and proportionate. [ibid, p18] This means that GCHQ could get a warrant in the UK to hack the computer of everyone in Birmingham with little meaningful oversight.
Broad warrants at home -- signed by someone who may not have had any idea exactly what they were authorizing. No warrants, for the most part, for extraterritorial hacking. Testimony on behalf of the GCHQ by its director of cyber-security points out that the Secretary of State (who handles surveillance warrants) is rarely consulted when the target is foreign. The only exceptions are if the GCHQ feels the target may be "sensitive" or "politically risky." Otherwise, the GCHQ grants itself permission to carry out these attacks.
Two other agencies that write their own hacking orders (MI5 and the Secret Intelligence Service) also do what they can to eliminate whatever minimal paper trail these actions might generate.