diff --git a/src/routes/test/oauth2-test.js b/src/routes/test/oauth2-test.js
index c8aae5406..68526932d 100644
--- a/src/routes/test/oauth2-test.js
+++ b/src/routes/test/oauth2-test.js
@@ -30,7 +30,7 @@ var accesscontrol = require('../../accesscontrol.js'),
 
 var SERVER_URL = 'http://localhost:' + config.get('port');
 
-let AUDIT_SOURCE = { ip: '1.2.3.4' };
+let AUDIT_SOURCE = { ip: '1.2.3.4', userId: 'someuserid' };
 
 describe('OAuth2', function () {
 
@@ -221,7 +221,7 @@ describe('OAuth2', function () {
                 clientdb.add.bind(null, CLIENT_7.id, CLIENT_7.appId, CLIENT_7.type, CLIENT_7.clientSecret, CLIENT_7.redirectURI, CLIENT_7.scope),
                 clientdb.add.bind(null, CLIENT_9.id, CLIENT_9.appId, CLIENT_9.type, CLIENT_9.clientSecret, CLIENT_9.redirectURI, CLIENT_9.scope),
                 function (callback) {
-                    users.create(USER_0.username, USER_0.password, USER_0.email, USER_0.displayName, { }, null /* source */, function (error, userObject) {
+                    users.create(USER_0.username, USER_0.password, USER_0.email, USER_0.displayName, { }, AUDIT_SOURCE, function (error, userObject) {
                         expect(error).to.not.be.ok();
 
                         // update the global objects to reflect the new user id
diff --git a/src/users.js b/src/users.js
index 1928f7012..d567c8eb5 100644
--- a/src/users.js
+++ b/src/users.js
@@ -150,7 +150,7 @@ function create(username, password, email, displayName, options, auditSource, ca
     assert.strictEqual(typeof email, 'string');
     assert.strictEqual(typeof displayName, 'string');
     assert(options && typeof options === 'object');
-    assert.strictEqual(typeof auditSource, 'object');
+    assert(auditSource && typeof auditSource === 'object');
 
     const isOwner = !!options.owner;
     const isAdmin = !!options.admin;
@@ -289,7 +289,7 @@ function verifyWithEmail(email, password, callback) {
 
 function removeUser(userId, auditSource, callback) {
     assert.strictEqual(typeof userId, 'string');
-    assert.strictEqual(typeof auditSource, 'object');
+    assert(auditSource && typeof auditSource === 'object');
     assert.strictEqual(typeof callback, 'function');
 
     get(userId, function (error, user) {
@@ -389,7 +389,7 @@ function getByResetToken(email, resetToken, callback) {
 function updateUser(userId, data, auditSource, callback) {
     assert.strictEqual(typeof userId, 'string');
     assert.strictEqual(typeof data, 'object');
-    assert.strictEqual(typeof auditSource, 'object');
+    assert(auditSource && typeof auditSource === 'object');
     assert.strictEqual(typeof callback, 'function');
 
     var error;
@@ -524,7 +524,7 @@ function createOwner(username, password, email, displayName, auditSource, callba
     assert.strictEqual(typeof password, 'string');
     assert.strictEqual(typeof email, 'string');
     assert.strictEqual(typeof displayName, 'string');
-    assert.strictEqual(typeof auditSource, 'object');
+    assert(auditSource && typeof auditSource === 'object');
     assert.strictEqual(typeof callback, 'function');
 
     // This is only not allowed for the owner
@@ -647,7 +647,7 @@ function disableTwoFactorAuthentication(userId, callback) {
 function transferOwnership(oldOwnerId, newOwnerId, auditSource, callback) {
     assert.strictEqual(typeof oldOwnerId, 'string');
     assert.strictEqual(typeof newOwnerId, 'string');
-    assert.strictEqual(typeof auditSource, 'object');
+    assert(auditSource && typeof auditSource === 'object');
     assert.strictEqual(typeof callback, 'function');
 
     apps.transferOwnership(oldOwnerId, newOwnerId, function (error) {