Richard Bejtlich writes about fraud, waste, and abuse (FWA) being beyond the purview of network security monitoring. I tend to agree, but the situation, as Bejtlich notes, isn't clear cut.
It is important to keep in mind that part of the reason organizations fund information security departments is to help with fraud, waste, and abuse as well as "sexier" problems such as espionage, theft, and destruction. As I've written previously, information security should focus on preventing and detecting unauthorized access. When fraud, waste, or abuse is carried out by gaining and exploiting unauthorized access, then the organization should rightfully expect the security monitoring team to detect it and alert the incident response or investigation team.
However, detecting FWA carried out by folks using authorized access in inappropriate ways is typically beyond the capabilities of most security monitoring teams. Expecting your monitoring team to detect improper entries in an expense report is rather unreasonable.