No, the user didn't understand until several attempts to drill it in (I remember she specifically said "I find that hard to believe"), but basically I explained that all security logging that takes place occurs in Event Viewer, which does not offer any options for logging when specific files are deleted by specific users (especially when the user is deleting something remotely via a network share). I assured her that the only way to create such an in-depth logging solution would be to go with a third party program -- and of course they were way too cheap-minded to consider such a thing.

If memory serves correct, at the most you can sort of log file access attempts from users directly logged in to the server, and even that is a long shot.